Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > Python > building strings with variable input

Reply
Thread Tools

building strings with variable input

 
 
Olaf Meyer
Guest
Posts: n/a
 
      01-12-2004
Sometimes if find it clumsy unsing the following approach building strings:

cmd = "%s -start %s -end %s -dir %s" % (executable, startTime, endTime,
directory)

Especially if you have a lot of variable input it makes it hard to match
the variables to the proper fields. From other scripting languanges I'm
used to something like:

$cmd = "$executable -start $startTime -end $endTime -dir $directory"

This makes it very easy to see how the string is actually built. You
dont't have to worry where which variables go.

Is there a similar way to do this in python?

Thanks,
Olaf
 
Reply With Quote
 
 
 
 
Erik Max Francis
Guest
Posts: n/a
 
      01-12-2004
Olaf Meyer wrote:

> Especially if you have a lot of variable input it makes it hard to
> match
> the variables to the proper fields. From other scripting languanges
> I'm
> used to something like:
>
> $cmd = "$executable -start $startTime -end $endTime -dir $directory"
>
> This makes it very easy to see how the string is actually built. You
> dont't have to worry where which variables go.
>
> Is there a similar way to do this in python?


Sure:

cmd = "%(executable)s -start %(startTime)s -end %(endTime)s -dir
%(directory)s" % locals()

There are also more expansive solutions such as YAPTU or EmPy.

Note, however, that what you are trying to do (presuming you're passing
this to os.system or something similar) is potentially a serious
security risk. If the values of the strings you are constructing the
command line are not fully trustworthy, they can be easily manipulated
to make your program execute arbitrary shell commands.

--
__ Erik Max Francis && http://www.velocityreviews.com/forums/(E-Mail Removed) && http://www.alcyone.com/max/
/ \ San Jose, CA, USA && 37 20 N 121 53 W && &tSftDotIotE
\__/ In the fight between you and the world, back the world.
-- Frank Zappa
 
Reply With Quote
 
 
 
 
Peter Otten
Guest
Posts: n/a
 
      01-12-2004
Olaf Meyer wrote:

> Sometimes if find it clumsy unsing the following approach building
> strings:
>
> cmd = "%s -start %s -end %s -dir %s" % (executable, startTime, endTime,
> directory)
>
> Especially if you have a lot of variable input it makes it hard to match
> the variables to the proper fields. From other scripting languanges I'm
> used to something like:
>
> $cmd = "$executable -start $startTime -end $endTime -dir $directory"
>
> This makes it very easy to see how the string is actually built. You
> dont't have to worry where which variables go.
>
> Is there a similar way to do this in python?


>>> "from %(org)s to %(dest)s" % dict(org="X", dest="Y")

'from X to Y'

or even

>>> org = "A"
>>> dest = "B"
>>> "from %(org)s to %(dest)s" % locals()

'from A to B'

Peter
 
Reply With Quote
 
Olaf Meyer
Guest
Posts: n/a
 
      01-12-2004
Erik Max Francis wrote:

> Olaf Meyer wrote:
>
>
>>Especially if you have a lot of variable input it makes it hard to
>>match
>>the variables to the proper fields. From other scripting languanges
>>I'm
>>used to something like:
>>
>> $cmd = "$executable -start $startTime -end $endTime -dir $directory"
>>
>>This makes it very easy to see how the string is actually built. You
>>dont't have to worry where which variables go.
>>
>>Is there a similar way to do this in python?

>
>
> Sure:
>
> cmd = "%(executable)s -start %(startTime)s -end %(endTime)s -dir
> %(directory)s" % locals()
>
> There are also more expansive solutions such as YAPTU or EmPy.
>
> Note, however, that what you are trying to do (presuming you're passing
> this to os.system or something similar) is potentially a serious
> security risk. If the values of the strings you are constructing the
> command line are not fully trustworthy, they can be easily manipulated
> to make your program execute arbitrary shell commands.
>


Erik,

thanks for your solution suggestion and pointing out the security risks.
However security is not an issue in my case

Olaf
 
Reply With Quote
 
David M. Cooke
Guest
Posts: n/a
 
      01-12-2004
At some point, Erik Max Francis <(E-Mail Removed)> wrote:

> Olaf Meyer wrote:
>
>> Especially if you have a lot of variable input it makes it hard to
>> match
>> the variables to the proper fields. From other scripting languanges
>> I'm
>> used to something like:
>>
>> $cmd = "$executable -start $startTime -end $endTime -dir $directory"
>>
>> This makes it very easy to see how the string is actually built. You
>> dont't have to worry where which variables go.
>>
>> Is there a similar way to do this in python?

>
> Sure:
>
> cmd = "%(executable)s -start %(startTime)s -end %(endTime)s -dir
> %(directory)s" % locals()
>
> There are also more expansive solutions such as YAPTU or EmPy.
>
> Note, however, that what you are trying to do (presuming you're passing
> this to os.system or something similar) is potentially a serious
> security risk. If the values of the strings you are constructing the
> command line are not fully trustworthy, they can be easily manipulated
> to make your program execute arbitrary shell commands.


In which case he's probably better off with his original format (almost):

cmd = '"$executable" -start "$startTime" -end "$endTime" -dir "$directory"'
os.environ['executable'] = 'blah'
os.environ['startTime'] = '12'
os.environ['endTime'] = '18'
os.environ['directory'] = './'
os.system(cmd)

This way, the shell handles all the quoting. You can do
del os.environ['executable']
afterwards to clean up. I got this technique from
http://freshmeat.net/articles/view/337/

For the quoting, compare:
>>> os.environ['string'] = "`uname` $TERM"
>>> os.system('echo "$string"')

`uname` $PATH
(this is what we want: don't run arbitrary commands or expand
environment variables given in a user string)

with
>>> string = "`uname` $TERM"
>>> os.system('echo "%s"' % string)

Linux xterm
(whoops, security leak)

--
|>|\/|<
/--------------------------------------------------------------------------\
|David M. Cooke
|cookedm(at)physics(dot)mcmaster(dot)ca
 
Reply With Quote
 
Olaf Meyer
Guest
Posts: n/a
 
      01-12-2004
Erik Max Francis wrote:

> Olaf Meyer wrote:
>
>
>>Especially if you have a lot of variable input it makes it hard to
>>match
>>the variables to the proper fields. From other scripting languanges
>>I'm
>>used to something like:
>>
>> $cmd = "$executable -start $startTime -end $endTime -dir $directory"
>>
>>This makes it very easy to see how the string is actually built. You
>>dont't have to worry where which variables go.
>>
>>Is there a similar way to do this in python?

>
>
> Sure:
>
> cmd = "%(executable)s -start %(startTime)s -end %(endTime)s -dir
> %(directory)s" % locals()
>
> There are also more expansive solutions such as YAPTU or EmPy.
>
> Note, however, that what you are trying to do (presuming you're passing
> this to os.system or something similar) is potentially a serious
> security risk. If the values of the strings you are constructing the
> command line are not fully trustworthy, they can be easily manipulated
> to make your program execute arbitrary shell commands.
>


I just found out another way Using the locals() has the disadvantage
that I cannot use more complex variable parameters (e.g. certain values
of a dictionary). The following works well:

cmd = (executable + " -start " + startTime + " -end " + endTime +
" -dir " + options.dir)

Olaf
 
Reply With Quote
 
Erik Max Francis
Guest
Posts: n/a
 
      01-12-2004
"David M. Cooke" wrote:

> In which case he's probably better off with his original format
> (almost):
>
> cmd = '"$executable" -start "$startTime" -end "$endTime" -dir \
> "$directory"'
> os.environ['executable'] = 'blah'
> os.environ['startTime'] = '12'
> os.environ['endTime'] = '18'
> os.environ['directory'] = './'
> os.system(cmd)


This doesn't resolve the underlying possibility for mailicious people in
control of the contents of those variables to get it to execute
arbitrary shell code. (In his case he says it isn't an issue, but
still.)

--
__ Erik Max Francis && (E-Mail Removed) && http://www.alcyone.com/max/
/ \ San Jose, CA, USA && 37 20 N 121 53 W && &tSftDotIotE
\__/ It was involuntary. They sank my boat.
-- John F. Kennedy (on how he became a war hero)
 
Reply With Quote
 
David M. Cooke
Guest
Posts: n/a
 
      01-13-2004
At some point, Erik Max Francis <(E-Mail Removed)> wrote:

> "David M. Cooke" wrote:
>
>> In which case he's probably better off with his original format
>> (almost):
>>
>> cmd = '"$executable" -start "$startTime" -end "$endTime" -dir \
>> "$directory"'
>> os.environ['executable'] = 'blah'
>> os.environ['startTime'] = '12'
>> os.environ['endTime'] = '18'
>> os.environ['directory'] = './'
>> os.system(cmd)

>
> This doesn't resolve the underlying possibility for mailicious people in
> control of the contents of those variables to get it to execute
> arbitrary shell code. (In his case he says it isn't an issue, but
> still.)


Do you mean something like
os.environ['startTime'] = '`rm -rf /`'
?
That 'rm -rf /' *won't* be executed: the shell will expand
"$startTime" to "`rm -rf /`", and that's it. Of course, if the
executable you're calling is a shell script that doesn't handle it's
arguments correctly, then you're in trouble. That means $executable is
bad practice -- you're allowing arbitrary commands to be called.

--
|>|\/|<
/--------------------------------------------------------------------------\
|David M. Cooke
|cookedm(at)physics(dot)mcmaster(dot)ca
 
Reply With Quote
 
Erik Max Francis
Guest
Posts: n/a
 
      01-13-2004
"David M. Cooke" wrote:

> Do you mean something like
> os.environ['startTime'] = '`rm -rf /`'
> ?


No, I mean something like

os.environ['startTime'] = '"; rm -rf /; : "'

The lesson to be learned here is: Do not build shell commands from
untrusted inputs. Ever.

--
__ Erik Max Francis && (E-Mail Removed) && http://www.alcyone.com/max/
/ \ San Jose, CA, USA && 37 20 N 121 53 W && &tSftDotIotE
\__/ You are free and that is why you are lost.
-- Franz Kafka
 
Reply With Quote
 
David M. Cooke
Guest
Posts: n/a
 
      01-13-2004
At some point, Erik Max Francis <(E-Mail Removed)> wrote:

> "David M. Cooke" wrote:
>
>> Do you mean something like
>> os.environ['startTime'] = '`rm -rf /`'
>> ?

>
> No, I mean something like
>
> os.environ['startTime'] = '"; rm -rf /; : "'
>
> The lesson to be learned here is: Do not build shell commands from
> untrusted inputs. Ever.


Doesn't work:
>>> os.environ['string'] = '"; uname; : "'
>>> os.system('echo "$string"')

"; uname; : "

Although the advice of not building shell commands is still prudent;
just because none of mine or your methods to defeat haven't worked,
doesn't mean there isn't a technique that will.

It's also dependent on having a good shell -- I'm using bash 2.05b.0.

--
|>|\/|<
/--------------------------------------------------------------------------\
|David M. Cooke
|cookedm(at)physics(dot)mcmaster(dot)ca
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Entering strings as user input but interpreting as Python input (sortof) Chris Carlen Python 1 09-18-2007 01:58 AM
Firefighters at the site of WTC7 "Move away the building is going to blow up, get back the building is going to blow up." Midex Python 24 05-07-2007 04:23 AM
Strings, Strings and Damned Strings Ben C Programming 14 06-24-2006 05:09 AM
Wireless building-to-building 101 Tim Jacob Wireless Networking 2 02-17-2006 09:46 AM
Building to Building wireless Patriot Cisco 2 11-04-2003 05:07 PM



Advertisments