[issue26124] shlex.quote and pipes.quote do not quote shell keywords

Fri, 15 Jan 2016 11:30:24 -0800 

Charles Daffern added the comment:

>To be sure that it is existing program, you can use shutil.which()

I'd like to clear this up a little because this is worded as if 
shutil.which()'s success implies that the shell will not fail.

Here is the setup to demonstrate:

>>> import os, shlex, shutil, subprocess
>>> open("do", "w").write("#!/bin/sh\necho Something is being done...")
__main__:1: ResourceWarning: unclosed file <_io.TextIOWrapper name='do' 
mode='w' encoding='UTF-8'>
41
>>> os.chmod("do", 0o700)


Here is the behaviour using shlex.quote:

>>> subprocess.call(shlex.quote("do"), shell=True, env={'PATH': '.'})
/bin/sh: 1: Syntax error: "do" unexpected
2


Here is the behaviour when quoting properly:

>>> subprocess.call("'do'", shell=True, env={'PATH': '.'})
Something is being done...
0


Here is the output of shutil.which:

>>> shutil.which("do", path=".")
'./do'


So checking shutil.which()'s success or failure will not guard against this 
case (though using its output would work around the problem).

>It's not at all obvious that the intention is to ensure such an argument 
>should be treated only as a command external to the shell.
>
>If an application really wants to ensure the command is not handled as a shell 
>built-in, it should use shell=False.

The shell will still search builtins if the argument is quoted, it just won't 
search for keywords. So, a quoted "bind", "shopt" or "jobs" will still work, 
but a quoted "case", "fi" or "done" will cause the shell to search for a 
command of that name rather than treating it as syntax.

Looking at the source, shlex.quote's refusal to quote certain arguments appears 
to be intentional. I would rather it quote slightly more carefully than 
necessary, than quote something incorrectly.

----------

_______________________________________
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue26124>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

Reply via email to