Steven D'Aprano wrote:
> os.system('dir -l %s' % 'text.txt')
>
>
> Now, there is a security risk: you might set command1 yourself, and
> allow the user to set args. If command1 is an external application
> with a security hole, and the user provides arguments that trigger that
> bug, then naturally your application will inherit whatever security
> vulnerabilities the external application suffers from. No surprises there.
There are also big risks like this
filename = 'foo; rm importantfile'
cmd = 'ls %s' % filename
os.system(cmd)
oops!
--
Jeremy Sanders
http://www.jeremysanders.net/
--
http://mail.python.org/mailman/listinfo/python-list
