How to avoid Shell Injection with a path variable and wait for command exist?

Question

I need to read the exit of a command (then I have to wait for it in sync way):

import subprocess
subprocess.call('ls ~', shell=True)

My problem is a path like this:

~/testing/;xterm;/blabla

How could I sanitize that string from user (allowing special characters from his language)?

import subprocess
subprocess.call('ls ~/testing/;xterm;/blabla', shell=True) # This will launch xterm

I found escapeshellcmd in PHP, but I didn't find anything in Python.

PS: It's not a duplicate of this:

Because it's the complete path, not the filename.
And I read the os.path and I didn't find a solution.

Thanks in advance!

=======

falsetru · Accepted Answer · 2015-01-17T12:53:34.467

4

Pass a list instead of a string. And remove shell=True to make the command are not run by shell. (You need to expand ~ yourself using os.path.expanduser)

import os
import subprocess

subprocess.call(['ls', os.path.expanduser('~') + '/testing/;xterm;/blabla'])

Side note: If you want to get list of filenames, you'd better to use os.listdir instead:

filelist = os.listdir(os.path.expanduser('~') + '/testing/;xterm;/blabla')

edited Jan 17 '15 at 12:53

answered Jan 17 '15 at 12:47

falsetru

357,413
63
732
636

Thanks, but I found this problem: without the shell=True, I can't get the exit of the command, filelist is always empty. – Costales Jan 17 '15 at 13:06
1

@costales, It's weird. Could you try this? `filelist = os.listdir(os.path.join(os.path.expanduser('~'), 'testing', ';xterm;', 'blabla'))` – falsetru Jan 17 '15 at 13:09
I would use check_call unless you want to ignore non zero exit status – Padraic Cunningham Jan 17 '15 at 13:11
@falsetru, yes that is what I meant. – Padraic Cunningham Jan 17 '15 at 13:14
@falsetru: Thanks a lot! the os library is solving my issue :) – Costales Jan 17 '15 at 14:30

How to avoid Shell Injection with a path variable and wait for command exist?

1 Answers1