This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author remi.lapeyre
Recipients geophile, remi.lapeyre
Date 2020-04-22.15:39:55
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1587569996.3.0.321269498144.issue40363@roundup.psfhosted.org>
In-reply-to
Content 
shlex.quote makes the string safe to pass a command, what if it's 

   rm 'var/log/syslog*'

instead?

You make sure that only the file given would be removed but then shlex.quote() shoot you in the foot.

This would also cause issues for files with '*' or another special characters in the name, you would not be able to pass their name anymore.

Also, not all shells have the same glob patterns and some of them are actually configurable to enable more patterns, so it would be impossible to know what to escape or not, shlex.quote() just quote everything unconditionnaly

If you want to allow '*' at the end or inside the pattern I think the best way is to look for it in your application, split (or take the prefix if you only want to allow it in the end), use shlex.quote() on the parts and concatenate with '*'.
History
Date User Action Args
2020-04-22 15:39:56remi.lapeyresetrecipients: + remi.lapeyre, geophile
2020-04-22 15:39:56remi.lapeyresetmessageid: <1587569996.3.0.321269498144.issue40363@roundup.psfhosted.org>
2020-04-22 15:39:56remi.lapeyrelinkissue40363 messages
2020-04-22 15:39:55remi.lapeyrecreate