os.system() with imbeded quotes on centos

C

cevyne

I get the example os.system('ls -al') no problem.

i'm trying to create a variable with my command built in it but needs to include quotes.
Portion of code is as follows:
someip = '192.168.01.01'

var1 = 'lynx -dump http://' + someip + '/cgi-bin/xxxx.log&.submit=+++Go%21+++ > junk'

print var1

os.system(var1)


If I print var1 it looks right . If I use the os.system(var1) as above it seems to have a problem near the end of the string with msg
sh: .submit=+++Go%21+++: command not found

clearly there is some escape sequence that I don't understand .

I tried combinations of single and double quotes and mixed around var1 in os.system(), but that generates command not found.

I need it to look like how I enter it manually and works
lynx -dump 'http://192.168.01.01/cgi-bin/xxxx.log&.submit=+++Go!+++ > junk'

Probably obvious to many but i'm spinning my wheels. many thanks for help .
 
C

Chris Angelico

var1 = 'lynx -dump http://' + someip + '/cgi-bin/xxxx.log&.submit=+++Go%21+++ > junk'
lynx -dump 'http://192.168.01.01/cgi-bin/xxxx.log&.submit=+++Go!+++ > junk'
Click to expand...


The problem is the &, which splits the command. Note how your manual
execution puts single quotes around just the URL; in the other
version, you're not doing that. (Though I'm not entirely sure why your
junk is inside the quotes - is that an error?) Try this:
Click to expand...

var1 = 'lynx -dump "http://' + someip +
'/cgi-bin/xxxx.log&.submit=+++Go%21+++" > junk'

ChrisA
 
J

John Gordon

In said:
someip = '192.168.01.01'
var1 = 'lynx -dump http://' + someip + '/cgi-bin/xxxx.log&.submit=+++Go%21+++ > junk'
Click to expand...

'&' is a special character in shell commands. You'll need to quote or
escape it.

Try this:

someip = '192.168.01.01'
var1 = 'lynx -dump "http://' + someip + '/cgi-bin/xxxx.log&.submit=+++Go%21+++" > junk'

Note the extra pair of double-quotes around the http:// part.
 
C

Cameron Simpson

| > someip = '192.168.01.01'
| > var1 = 'lynx -dump http://' + someip + '/cgi-bin/xxxx.log&.submit=+++Go%21+++ > junk'
|
| '&' is a special character in shell commands. You'll need to quote or
| escape it.

Or better still, use the subprocess module and avoid going via the
os.system() altogether:

http://docs.python.org/2/library/subprocess.html#popen-constructor

If you must go via the os.system(), write yourself a generic function
to quote a string for the shell, and to quote a bunch of strings
(essentially " ".join( quoted-individual-strings )). And use it
rigorously.

Anything else is asking for shell injection attacks/errors, just
as bad as hand constructing SQL statements.

For example, if I must construct a shell command from arbitrary
strings (like your URL) I use quote() from this:

https://bitbucket.org/cameron_simpson/css/src/tip/lib/python/cs/sh.py

That code's nothing special, just what I rolled some years ago for
exactly this purpose.

The core lesson is: never waste time figuring out _whether_ you
need to treat shell strings specially. Just treat them specially
and consistently and be safe.

Cheers,
--
Cameron Simpson <[email protected]>
--
cat: /Users/cameron/rc/mail/signature.: No such file or directory

The Design View editor of Visual InterDev 6.0 is currently incompatible
with Compatibility Mode, and may not function correctly.
- George Politis <[email protected]>, 22apr1999,
quoting http://msdn.microsoft.com/vstudio/technical/ie5.asp
 
C

Chris Rebert

| > someip = '192.168.01.01'
| > var1 = 'lynx -dump http://' + someip + '/cgi-bin/xxxx.log&.submit=+++Go%21+++ > junk'
|
| '&' is a special character in shell commands. You'll need to quote or
| escape it.

Or better still, use the subprocess module and avoid going via the
os.system() altogether:

http://docs.python.org/2/library/subprocess.html#popen-constructor

If you must go via the os.system(), write yourself a generic function
to quote a string for the shell, and to quote a bunch of strings
(essentially " ".join( quoted-individual-strings )). And use it
rigorously.

Anything else is asking for shell injection attacks/errors, just
as bad as hand constructing SQL statements.

For example, if I must construct a shell command from arbitrary
strings (like your URL) I use quote() from this:

https://bitbucket.org/cameron_simpson/css/src/tip/lib/python/cs/sh.py

That code's nothing special, just what I rolled some years ago for
exactly this purpose.
Click to expand...

No need for third-party code, just use the std lib:
http://docs.python.org/2/library/pipes.html#pipes.quote
http://docs.python.org/3/library/shlex.html#shlex.quote

(But yeah, best of all is to just use `subprocess` with shell=False.)

Cheers,
Chris
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

strange behavior with os.system 3
python and os.system() failure 4
execv putting quotes around arguments 1
Running os.system from browser 3
Need help with printing Unicode! (C++ on CentOS) 30
Why is pexpect acting funny with sendline() and expect()? 0
How can I capture all exceptions especially when os.system() fail? Thanks 3
Backticks with single quote inside single quotes 10

Members online

No members online now.
Total: 24 (members: 0, guests: 24)
Robots: 443

Forum statistics

Threads
473,769
Messages
2,569,580
Members
45,054
Latest member
TrimKetoBoost

Latest Threads

Top