Vincent Lefevre wrote:
> On 2007-08-09 09:48:54 -0700, Steve Lamb wrote:
>> The same in Python but with far greater functionality:
> and a security hole!
And the one liner stopped this how, exactly? I mean it was globbing the
file fer pete's sake!
>> result = os.system("lame -h -b 160 '%s' '%s'" % (file, mp3))
> Imagine a filename contains: ' `some command`
Ok, I'll imagine that.
>>> import os
>>> foo = "' `ls -l`"
>>> os.system("echo '%s'" % foo)
sh: -c: line 0: unexpected EOF while looking for matching `''
sh: -c: line 1: syntax error: unexpected end of file
512
But of course this is a red herring on your part because we're starting
this discussion from the point of wanting to do a process to files we,
presumably, have vetted.
> But remember that when you use "system" (available in many languages),
> this is a shell that will be started behind, with all the problems of
> a shell.
Yes, which is why I tend to go native as much as possible. A feat far
easier in Python than Shell. :P
> In Perl, when one calls system with more than one element in the list,
> this calls execvp instead of doing a conventional "system". Now, I
> assume that Python also has some way to call execvp.
http://python.active-venture.com/lib/os-process.html
> In portable POSIX sh, yes. But with superior shells such as zsh, this
> is trivial. However, for complex transformations, though this can
> often be written with few characters, this is completely unreadable!
> (See for instance, the advanced zsh completion functions.)
Which is why I strayed away from Perl into Python land. And while zsh is
fairly ubiquitous in Linux/BSD land it is still shell with the problems that
come with it. BTW, in case you feel I am coming from Bash land with my
anti-shell sentiments...
[EMAIL PROTECTED]:~} grep grey /etc/passwd
grey:x:1000:1007:Steve Lamb:/home/grey:/bin/zsh
...been on zsh for years. I love its far superior completion and command
history. Won't code in it, however, not as long as #!/bin/env python is
around. And the joy of it is that if a box has zsh chances are high it'll
have python, too. ;)
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
