469,945 Members | 2,285 Online
Bytes | Developer Community
New Post

Home Posts Topics Members FAQ

Post your question to a community of 469,945 developers. It's quick & easy.

how to invoke the shell command and then get the result in python

Hi,

I want to do following: get a user input regex, then pass this as a
parameter to grep, and then get the result from grep.

Any code snip to implement the similar function? I am a python newbie.

Thanks a lot.
Bin

Dec 5 '06 #1
7 2530
Bin Chen wrote:
I want to do following: get a user input regex, then pass this as a
parameter to grep, and then get the result from grep.

Any code snip to implement the similar function? I am a python newbie.
import os
for line in os.popen("grep pattern *.txt"):
print line,

also see os.system and subprocess.

note that if you want to write portable code, you can implement your own
"grep" using the "re" module:

import re
p = re.compile(pattern)
for index, line in enumerate(open(filename)):
if p.match(line):
print index, line,

</F>

Dec 5 '06 #2


Fredrik Lundh wrote:
import os
for line in os.popen("grep pattern *.txt"):
print line,

also see os.system and subprocess.

note that if you want to write portable code, you can implement your own
"grep" using the "re" module:
</F>
Also, for a wrapper around popen, try commands:

import commands

pattern = raw_input('pattern to search? ')
print commands.getoutput('grep %s *.txt' % pattern)

Pete

Dec 5 '06 #3
pe********@gmail.com wrote:
Also, for a wrapper around popen, try commands:

import commands

pattern = raw_input('pattern to search? ')
print commands.getoutput('grep %s *.txt' % pattern)
that's not quite as portable as the other alternatives, though. "grep"
is at least available for non-Unix platforms, but "commands" requires a
unix shell.

for Python 2.5 and later, you could use:

def getoutput(cmd):
from subprocess import Popen, PIPE, STDOUT
p = Popen(cmd, stdout=PIPE, stderr=STDOUT,
shell=isinstance(cmd, basestring))
return p.communicate()[0]

print getoutput(["grep", pattern, glob.glob("*.txt")])

which, if given a list instead of a string, passes the arguments
right through to the underlying process, without going through the
shell (consider searching for "-" or ";rm" with the original code).

</F>

Dec 5 '06 #4
pe********@gmail.com <pe********@gmail.comwrote:
Also, for a wrapper around popen, try commands:

import commands

pattern = raw_input('pattern to search? ')
print commands.getoutput('grep %s *.txt' % pattern)
What if I entered "; rm -rf * ;" as my pattern?

Don't ever pass user input (from file/web/raw_input) to the shell if
you want to write a secure program!

If you use subprocess then you can use a sequence of args to bypass
the shell rather than a string to be passed to the shell. That will
get over lots of shell escaping problems too. Eg

from subprocess import Popen, PIPE
from glob import glob
pattern = raw_input('pattern to search? ')
files = glob("*.txt")
output = Popen(["grep", pattern] + files, stdout=PIPE).communicate()[0]
print output

You can also use subprocess to read the return code of the command and
its stderr both of which you'll need if you are programming
defensively!

--
Nick Craig-Wood <ni**@craig-wood.com-- http://www.craig-wood.com/nick
Dec 5 '06 #5

Nick Craig-Wood wrote:
>
What if I entered "; rm -rf * ;" as my pattern?
Assuming the script isn't setuid, this would do no more damage than the
user could do directly on the command line. I agree, when dealing with
web applications or setuid programs, direct shell access isn't a good
idea.

Pete

Dec 6 '06 #6
pe********@gmail.com wrote:
Assuming the script isn't setuid, this would do no more damage than the
user could do directly on the command line.
except that when the user is typing things into the command line, he
*knows* that he's typing things into the command line.

</F>

Dec 6 '06 #7
Fredrik Lundh <fr*****@pythonware.comwrote:
pe********@gmail.com wrote:
Assuming the script isn't setuid, this would do no more damage than the
user could do directly on the command line.

except that when the user is typing things into the command line, he
*knows* that he's typing things into the command line.
Aye!

Who is to say that this script won't get re-used innocently in a web
application?

And in this particular example we were talking about typing regular
expressions into the shell, which have many of the same metacharacters
as the shell. So even an innocent use of the above can cause
problems.

Just say no to passing user input (from anywhere at all) via the
shell! That (along with SQL injection attacks which are very similar
in concept) is one of the most common security attacks for scripting
languages like Python when used in a web environment.

--
Nick Craig-Wood <ni**@craig-wood.com-- http://www.craig-wood.com/nick
Dec 6 '06 #8

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

2 posts views Thread by Jorgen Grahn | last post: by
reply views Thread by Kyle | last post: by
7 posts views Thread by DB_2 | last post: by
2 posts views Thread by NightHawk | last post: by
4 posts views Thread by Anastasios Hatzis | last post: by
3 posts views Thread by George Sakkis | last post: by
1 post views Thread by Tobiah | last post: by
15 posts views Thread by lixinyi.23 | last post: by
8 posts views Thread by james.kirin39 | last post: by
By using this site, you agree to our Privacy Policy and Terms of Use.