FAQ
Sometimes if find it clumsy unsing the following approach building strings:

cmd = "%s -start %s -end %s -dir %s" % (executable, startTime, endTime,
directory)

Especially if you have a lot of variable input it makes it hard to match
the variables to the proper fields. From other scripting languanges I'm
used to something like:

$cmd = "$executable -start $startTime -end $endTime -dir $directory"

This makes it very easy to see how the string is actually built. You
dont't have to worry where which variables go.

Is there a similar way to do this in python?

Thanks,
Olaf

Search Discussions

  • Erik Max Francis at Jan 12, 2004 at 10:15 am

    Olaf Meyer wrote:

    Especially if you have a lot of variable input it makes it hard to
    match
    the variables to the proper fields. From other scripting languanges
    I'm
    used to something like:

    $cmd = "$executable -start $startTime -end $endTime -dir $directory"

    This makes it very easy to see how the string is actually built. You
    dont't have to worry where which variables go.

    Is there a similar way to do this in python?
    Sure:

    cmd = "%(executable)s -start %(startTime)s -end %(endTime)s -dir
    %(directory)s" % locals()

    There are also more expansive solutions such as YAPTU or EmPy.

    Note, however, that what you are trying to do (presuming you're passing
    this to os.system or something similar) is potentially a serious
    security risk. If the values of the strings you are constructing the
    command line are not fully trustworthy, they can be easily manipulated
    to make your program execute arbitrary shell commands.

    --
    __ Erik Max Francis && max at alcyone.com && http://www.alcyone.com/max/
    / \ San Jose, CA, USA && 37 20 N 121 53 W && &tSftDotIotE
    \__/ In the fight between you and the world, back the world.
    -- Frank Zappa
  • Olaf Meyer at Jan 12, 2004 at 3:12 pm

    Erik Max Francis wrote:

    Olaf Meyer wrote:

    Especially if you have a lot of variable input it makes it hard to
    match
    the variables to the proper fields. From other scripting languanges
    I'm
    used to something like:

    $cmd = "$executable -start $startTime -end $endTime -dir $directory"

    This makes it very easy to see how the string is actually built. You
    dont't have to worry where which variables go.

    Is there a similar way to do this in python?

    Sure:

    cmd = "%(executable)s -start %(startTime)s -end %(endTime)s -dir
    %(directory)s" % locals()

    There are also more expansive solutions such as YAPTU or EmPy.

    Note, however, that what you are trying to do (presuming you're passing
    this to os.system or something similar) is potentially a serious
    security risk. If the values of the strings you are constructing the
    command line are not fully trustworthy, they can be easily manipulated
    to make your program execute arbitrary shell commands.
    Erik,

    thanks for your solution suggestion and pointing out the security risks.
    However security is not an issue in my case ;-)

    Olaf
  • David M. Cooke at Jan 12, 2004 at 3:27 pm

    At some point, Erik Max Francis wrote:

    Olaf Meyer wrote:
    Especially if you have a lot of variable input it makes it hard to
    match
    the variables to the proper fields. From other scripting languanges
    I'm
    used to something like:

    $cmd = "$executable -start $startTime -end $endTime -dir $directory"

    This makes it very easy to see how the string is actually built. You
    dont't have to worry where which variables go.

    Is there a similar way to do this in python?
    Sure:

    cmd = "%(executable)s -start %(startTime)s -end %(endTime)s -dir
    %(directory)s" % locals()

    There are also more expansive solutions such as YAPTU or EmPy.

    Note, however, that what you are trying to do (presuming you're passing
    this to os.system or something similar) is potentially a serious
    security risk. If the values of the strings you are constructing the
    command line are not fully trustworthy, they can be easily manipulated
    to make your program execute arbitrary shell commands.
    In which case he's probably better off with his original format (almost):

    cmd = '"$executable" -start "$startTime" -end "$endTime" -dir "$directory"'
    os.environ['executable'] = 'blah'
    os.environ['startTime'] = '12'
    os.environ['endTime'] = '18'
    os.environ['directory'] = './'
    os.system(cmd)

    This way, the shell handles all the quoting. You can do
    del os.environ['executable']
    afterwards to clean up. I got this technique from
    http://freshmeat.net/articles/view/337/

    For the quoting, compare:
    os.environ['string'] = "`uname` $TERM"
    os.system('echo "$string"')
    `uname` $PATH
    (this is what we want: don't run arbitrary commands or expand
    environment variables given in a user string)

    with
    string = "`uname` $TERM"
    os.system('echo "%s"' % string)
    Linux xterm
    (whoops, security leak)

    --
    \/|<
    /--------------------------------------------------------------------------\
    David M. Cooke
    cookedm(at)physics(dot)mcmaster(dot)ca
  • Erik Max Francis at Jan 12, 2004 at 7:45 pm

    "David M. Cooke" wrote:

    In which case he's probably better off with his original format
    (almost):

    cmd = '"$executable" -start "$startTime" -end "$endTime" -dir \
    "$directory"'
    os.environ['executable'] = 'blah'
    os.environ['startTime'] = '12'
    os.environ['endTime'] = '18'
    os.environ['directory'] = './'
    os.system(cmd)
    This doesn't resolve the underlying possibility for mailicious people in
    control of the contents of those variables to get it to execute
    arbitrary shell code. (In his case he says it isn't an issue, but
    still.)

    --
    __ Erik Max Francis && max at alcyone.com && http://www.alcyone.com/max/
    / \ San Jose, CA, USA && 37 20 N 121 53 W && &tSftDotIotE
    \__/ It was involuntary. They sank my boat.
    -- John F. Kennedy (on how he became a war hero)
  • David M. Cooke at Jan 13, 2004 at 2:51 am

    At some point, Erik Max Francis wrote:

    "David M. Cooke" wrote:
    In which case he's probably better off with his original format
    (almost):

    cmd = '"$executable" -start "$startTime" -end "$endTime" -dir \
    "$directory"'
    os.environ['executable'] = 'blah'
    os.environ['startTime'] = '12'
    os.environ['endTime'] = '18'
    os.environ['directory'] = './'
    os.system(cmd)
    This doesn't resolve the underlying possibility for mailicious people in
    control of the contents of those variables to get it to execute
    arbitrary shell code. (In his case he says it isn't an issue, but
    still.)
    Do you mean something like
    os.environ['startTime'] = '`rm -rf /`'
    ?
    That 'rm -rf /' *won't* be executed: the shell will expand
    "$startTime" to "`rm -rf /`", and that's it. Of course, if the
    executable you're calling is a shell script that doesn't handle it's
    arguments correctly, then you're in trouble. That means $executable is
    bad practice -- you're allowing arbitrary commands to be called.

    --
    \/|<
    /--------------------------------------------------------------------------\
    David M. Cooke
    cookedm(at)physics(dot)mcmaster(dot)ca
  • Erik Max Francis at Jan 13, 2004 at 5:02 am

    "David M. Cooke" wrote:

    Do you mean something like
    os.environ['startTime'] = '`rm -rf /`'
    ?
    No, I mean something like

    os.environ['startTime'] = '"; rm -rf /; : "'

    The lesson to be learned here is: Do not build shell commands from
    untrusted inputs. Ever.

    --
    __ Erik Max Francis && max at alcyone.com && http://www.alcyone.com/max/
    / \ San Jose, CA, USA && 37 20 N 121 53 W && &tSftDotIotE
    \__/ You are free and that is why you are lost.
    -- Franz Kafka
  • David M. Cooke at Jan 13, 2004 at 2:49 pm

    At some point, Erik Max Francis wrote:

    "David M. Cooke" wrote:
    Do you mean something like
    os.environ['startTime'] = '`rm -rf /`'
    ?
    No, I mean something like

    os.environ['startTime'] = '"; rm -rf /; : "'

    The lesson to be learned here is: Do not build shell commands from
    untrusted inputs. Ever.
    Doesn't work:
    os.environ['string'] = '"; uname; : "'
    os.system('echo "$string"')
    "; uname; : "

    Although the advice of not building shell commands is still prudent;
    just because none of mine or your methods to defeat haven't worked,
    doesn't mean there isn't a technique that will.

    It's also dependent on having a good shell -- I'm using bash 2.05b.0.

    --
    \/|<
    /--------------------------------------------------------------------------\
    David M. Cooke
    cookedm(at)physics(dot)mcmaster(dot)ca
  • Olaf Meyer at Jan 12, 2004 at 3:55 pm

    Erik Max Francis wrote:

    Olaf Meyer wrote:

    Especially if you have a lot of variable input it makes it hard to
    match
    the variables to the proper fields. From other scripting languanges
    I'm
    used to something like:

    $cmd = "$executable -start $startTime -end $endTime -dir $directory"

    This makes it very easy to see how the string is actually built. You
    dont't have to worry where which variables go.

    Is there a similar way to do this in python?

    Sure:

    cmd = "%(executable)s -start %(startTime)s -end %(endTime)s -dir
    %(directory)s" % locals()

    There are also more expansive solutions such as YAPTU or EmPy.

    Note, however, that what you are trying to do (presuming you're passing
    this to os.system or something similar) is potentially a serious
    security risk. If the values of the strings you are constructing the
    command line are not fully trustworthy, they can be easily manipulated
    to make your program execute arbitrary shell commands.
    I just found out another way ;-) Using the locals() has the disadvantage
    that I cannot use more complex variable parameters (e.g. certain values
    of a dictionary). The following works well:

    cmd = (executable + " -start " + startTime + " -end " + endTime +
    " -dir " + options.dir)

    Olaf
  • Tim Roberts at Jan 14, 2004 at 7:31 am

    Olaf Meyer wrote:
    I just found out another way ;-) Using the locals() has the disadvantage
    that I cannot use more complex variable parameters (e.g. certain values
    of a dictionary). The following works well:

    cmd = (executable + " -start " + startTime + " -end " + endTime +
    " -dir " + options.dir)
    Yes, that works, but you should bear in mind that it is slower than the %s
    option. The "+" operations are all separate interpreter steps, while the
    "%" operation is done in C.

    At least, it was that way when I asked this same question several years
    ago. If it has changed, I'm sure someone will point out my error.

    Sometimes, it can make sense to write it this way:

    cmd = ' '.join((
    executable,
    "-start", startTime,
    "-end", endTime,
    "-dir", options.dir
    ))
    --
    - Tim Roberts, timr at probo.com
    Providenza & Boekelheide, Inc.
  • Paul McGuire at Jan 14, 2004 at 7:39 am
    "Tim Roberts" <timr at probo.com> wrote in message
    news:3rr900dm9s7th7kgq4muj76d5ocs5uep3b at 4ax.com...
    Olaf Meyer wrote:
    I just found out another way ;-) Using the locals() has the disadvantage
    that I cannot use more complex variable parameters (e.g. certain values
    of a dictionary). The following works well:

    cmd = (executable + " -start " + startTime + " -end " + endTime +
    " -dir " + options.dir)
    Yes, that works, but you should bear in mind that it is slower than the %s
    option. The "+" operations are all separate interpreter steps, while the
    "%" operation is done in C.
    On the relative time scales of concatenating 7 strings compared to forking
    off a separate process (which I presume is what is to be done with cmd), I'd
    go for the more readable representation, to aid in long term
    maintainability.

    If I have some string concatenation being done in a highly repetitive part
    of code, then by all means, replace it with one of the half dozen documented
    optimized alternatives. But if I build a string in order to create a
    sub-process, or invoke a database query, or make a remote CORBA invocation,
    etc., then these "optimizations" don't really save much time, and instead
    distract me/reviewers/testers/maintainers from the important program logic.

    -- Paul
  • Peter Otten at Jan 12, 2004 at 10:20 am

    Olaf Meyer wrote:

    Sometimes if find it clumsy unsing the following approach building
    strings:

    cmd = "%s -start %s -end %s -dir %s" % (executable, startTime, endTime,
    directory)

    Especially if you have a lot of variable input it makes it hard to match
    the variables to the proper fields. From other scripting languanges I'm
    used to something like:

    $cmd = "$executable -start $startTime -end $endTime -dir $directory"

    This makes it very easy to see how the string is actually built. You
    dont't have to worry where which variables go.

    Is there a similar way to do this in python?
    "from %(org)s to %(dest)s" % dict(org="X", dest="Y")
    'from X to Y'

    or even
    org = "A"
    dest = "B"
    "from %(org)s to %(dest)s" % locals()
    'from A to B'

    Peter
  • Dave Benjamin at Jan 17, 2004 at 9:09 pm

    In article <pduMb.6321$g4.137247 at news2.nokia.com>, Olaf Meyer wrote:
    Sometimes if find it clumsy unsing the following approach building strings:

    cmd = "%s -start %s -end %s -dir %s" % (executable, startTime, endTime,
    directory)

    Especially if you have a lot of variable input it makes it hard to match
    the variables to the proper fields. From other scripting languanges I'm
    used to something like:

    $cmd = "$executable -start $startTime -end $endTime -dir $directory"

    This makes it very easy to see how the string is actually built. You
    dont't have to worry where which variables go.

    Is there a similar way to do this in python?
    Go here:
    http://lfw.org/python/

    Look under "string interpolation for Python".

    Examples supported:

    "Here is a $string."
    "Here is a $module.member."
    "Here is an $object.member."
    "Here is a $functioncall(with, arguments)."
    "Here is an ${arbitrary + expression}."
    "Here is an $array[3] member."
    "Here is a $dictionary['member']."

    Thanks to Ka-Ping Yee! I've succesfully used this to build a homebrew
    templating language. It's nice and lightweight.

    --
    .:[ dave benjamin (ramenboy) -:- www.ramenfest.com -:- www.3dex.com ]:.
    : d r i n k i n g l i f e o u t o f t h e c o n t a i n e r :

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
grouppython-list @
categoriespython
postedJan 12, '04 at 9:58a
activeJan 17, '04 at 9:09p
posts13
users7
websitepython.org

People

Translate

site design / logo © 2018 Grokbase