Rémi Lapeyre <remi.lape...@henki.fr> added the comment: shlex.quote makes the string safe to pass a command, what if it's
rm 'var/log/syslog*' instead? You make sure that only the file given would be removed but then shlex.quote() shoot you in the foot. This would also cause issues for files with '*' or another special characters in the name, you would not be able to pass their name anymore. Also, not all shells have the same glob patterns and some of them are actually configurable to enable more patterns, so it would be impossible to know what to escape or not, shlex.quote() just quote everything unconditionnaly If you want to allow '*' at the end or inside the pattern I think the best way is to look for it in your application, split (or take the prefix if you only want to allow it in the end), use shlex.quote() on the parts and concatenate with '*'. ---------- nosy: +remi.lapeyre _______________________________________ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue40363> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
