Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > Python > os.system() with imbeded quotes on centos

Reply
Thread Tools

os.system() with imbeded quotes on centos

 
 
cevyne@gmail.com
Guest
Posts: n/a
 
      04-01-2013
I get the example os.system('ls -al') no problem.

i'm trying to create a variable with my command built in it but needs to include quotes.
Portion of code is as follows:
someip = '192.168.01.01'

var1 = 'lynx -dump http://' + someip + '/cgi-bin/xxxx.log&.submit=+++Go%21+++ > junk'

print var1

os.system(var1)


If I print var1 it looks right . If I use the os.system(var1) as above it seems to have a problem near the end of the string with msg
sh: .submit=+++Go%21+++: command not found

clearly there is some escape sequence that I don't understand .

I tried combinations of single and double quotes and mixed around var1 in os.system(), but that generates command not found.

I need it to look like how I enter it manually and works
lynx -dump 'http://192.168.01.01/cgi-bin/xxxx.log&.submit=+++Go%21+++ > junk'

Probably obvious to many but i'm spinning my wheels. many thanks for help .
 
Reply With Quote
 
 
 
 
Chris Angelico
Guest
Posts: n/a
 
      04-01-2013
On Tue, Apr 2, 2013 at 6:22 AM, <(E-Mail Removed)> wrote:
> var1 = 'lynx -dump http://' + someip + '/cgi-bin/xxxx.log&.submit=+++Go%21+++ > junk'
> lynx -dump 'http://192.168.01.01/cgi-bin/xxxx.log&.submit=+++Go%21+++ > junk'



The problem is the &, which splits the command. Note how your manual
execution puts single quotes around just the URL; in the other
version, you're not doing that. (Though I'm not entirely sure why your
> junk is inside the quotes - is that an error?) Try this:


var1 = 'lynx -dump "http://' + someip +
'/cgi-bin/xxxx.log&.submit=+++Go%21+++" > junk'

ChrisA
 
Reply With Quote
 
 
 
 
John Gordon
Guest
Posts: n/a
 
      04-01-2013
In <(E-Mail Removed)> http://www.velocityreviews.com/forums/(E-Mail Removed) writes:

> someip = '192.168.01.01'
> var1 = 'lynx -dump http://' + someip + '/cgi-bin/xxxx.log&.submit=+++Go%21+++ > junk'


'&' is a special character in shell commands. You'll need to quote or
escape it.

Try this:

someip = '192.168.01.01'
var1 = 'lynx -dump "http://' + someip + '/cgi-bin/xxxx.log&.submit=+++Go%21+++" > junk'

Note the extra pair of double-quotes around the http:// part.

--
John Gordon A is for Amy, who fell down the stairs
(E-Mail Removed) B is for Basil, assaulted by bears
-- Edward Gorey, "The Gashlycrumb Tinies"

 
Reply With Quote
 
Cameron Simpson
Guest
Posts: n/a
 
      04-05-2013
On 01Apr2013 20:26, John Gordon <(E-Mail Removed)> wrote:
| In <(E-Mail Removed)> (E-Mail Removed) writes:
| > someip = '192.168.01.01'
| > var1 = 'lynx -dump http://' + someip + '/cgi-bin/xxxx.log&.submit=+++Go%21+++ > junk'
|
| '&' is a special character in shell commands. You'll need to quote or
| escape it.

Or better still, use the subprocess module and avoid going via the
os.system() altogether:

http://docs.python.org/2/library/sub...en-constructor

If you must go via the os.system(), write yourself a generic function
to quote a string for the shell, and to quote a bunch of strings
(essentially " ".join( quoted-individual-strings )). And use it
rigorously.

Anything else is asking for shell injection attacks/errors, just
as bad as hand constructing SQL statements.

For example, if I must construct a shell command from arbitrary
strings (like your URL) I use quote() from this:

https://bitbucket.org/cameron_simpso...ython/cs/sh.py

That code's nothing special, just what I rolled some years ago for
exactly this purpose.

The core lesson is: never waste time figuring out _whether_ you
need to treat shell strings specially. Just treat them specially
and consistently and be safe.

Cheers,
--
Cameron Simpson <(E-Mail Removed)>
--
cat: /Users/cameron/rc/mail/signature.: No such file or directory

The Design View editor of Visual InterDev 6.0 is currently incompatible
with Compatibility Mode, and may not function correctly.
- George Politis <(E-Mail Removed)>, 22apr1999,
quoting http://msdn.microsoft.com/vstudio/technical/ie5.asp
 
Reply With Quote
 
Chris Rebert
Guest
Posts: n/a
 
      04-05-2013
On Fri, Apr 5, 2013 at 3:00 PM, Cameron Simpson <(E-Mail Removed)> wrote:
> On 01Apr2013 20:26, John Gordon <(E-Mail Removed)> wrote:
> | In <(E-Mail Removed)> (E-Mail Removed) writes:
> | > someip = '192.168.01.01'
> | > var1 = 'lynx -dump http://' + someip + '/cgi-bin/xxxx.log&.submit=+++Go%21+++ > junk'
> |
> | '&' is a special character in shell commands. You'll need to quote or
> | escape it.
>
> Or better still, use the subprocess module and avoid going via the
> os.system() altogether:
>
> http://docs.python.org/2/library/sub...en-constructor
>
> If you must go via the os.system(), write yourself a generic function
> to quote a string for the shell, and to quote a bunch of strings
> (essentially " ".join( quoted-individual-strings )). And use it
> rigorously.
>
> Anything else is asking for shell injection attacks/errors, just
> as bad as hand constructing SQL statements.
>
> For example, if I must construct a shell command from arbitrary
> strings (like your URL) I use quote() from this:
>
> https://bitbucket.org/cameron_simpso...ython/cs/sh.py
>
> That code's nothing special, just what I rolled some years ago for
> exactly this purpose.


No need for third-party code, just use the std lib:
http://docs.python.org/2/library/pipes.html#pipes.quote
http://docs.python.org/3/library/shlex.html#shlex.quote

(But yeah, best of all is to just use `subprocess` with shell=False.)

Cheers,
Chris
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
regex to avoid escaped quotes or double quotes jOhn Ruby 1 01-29-2008 08:31 PM
PHP double quotes inside double quotes MSB Computer Support 11 10-21-2006 01:09 PM
Asp.NET Javascript string, want to pass '(single quotes' within '(single quotes) Chris ASP .Net 1 03-24-2006 09:03 PM
Quotes/Double Quotes in Image Control Chris White ASP .Net 1 09-22-2004 06:22 AM
Multiline quotes - escaping quotes - et al Lawrence Tierney Java 3 12-24-2003 05:12 PM



Advertisments