[issue26124] shlex.quote and pipes.quote do not quote shell keywords

[Windson Yang]

Change by Windson Yang :


--
keywords: +patch
pull_requests: +13245
stage: needs patch -> patch review

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue26124] shlex.quote and pipes.quote do not quote shell keywords

[R. David Murray]

R. David Murray added the comment:

Quote is for quoting shell special characters, not command names.  It would be 
fairly straightforward to add that to the docs ("Return a version of the string 
s will with all shell special characters (including whitespace) escaped 
according to shell escaping rules."  Wordier, but more accurate, and not *too* 
much longer.

--
nosy: +r.david.murray

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue26124] shlex.quote and pipes.quote do not quote shell keywords

[Charles Daffern]

Charles Daffern added the comment:

>To be sure that it is existing program, you can use shutil.which()

I'd like to clear this up a little because this is worded as if 
shutil.which()'s success implies that the shell will not fail.

Here is the setup to demonstrate:

>>> import os, shlex, shutil, subprocess
>>> open("do", "w").write("#!/bin/sh\necho Something is being done...")
__main__:1: ResourceWarning: unclosed file <_io.TextIOWrapper name='do' 
mode='w' encoding='UTF-8'>
41
>>> os.chmod("do", 0o700)


Here is the behaviour using shlex.quote:

>>> subprocess.call(shlex.quote("do"), shell=True, env={'PATH': '.'})
/bin/sh: 1: Syntax error: "do" unexpected
2


Here is the behaviour when quoting properly:

>>> subprocess.call("'do'", shell=True, env={'PATH': '.'})
Something is being done...
0


Here is the output of shutil.which:

>>> shutil.which("do", path=".")
'./do'


So checking shutil.which()'s success or failure will not guard against this 
case (though using its output would work around the problem).

>It's not at all obvious that the intention is to ensure such an argument 
>should be treated only as a command external to the shell.
>
>If an application really wants to ensure the command is not handled as a shell 
>built-in, it should use shell=False.

The shell will still search builtins if the argument is quoted, it just won't 
search for keywords. So, a quoted "bind", "shopt" or "jobs" will still work, 
but a quoted "case", "fi" or "done" will cause the shell to search for a 
command of that name rather than treating it as syntax.

Looking at the source, shlex.quote's refusal to quote certain arguments appears 
to be intentional. I would rather it quote slightly more carefully than 
necessary, than quote something incorrectly.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue26124] shlex.quote and pipes.quote do not quote shell keywords

[Fred L. Drake, Jr.]

Fred L. Drake, Jr. added the comment:

It's not at all obvious that the intention is to ensure such an argument should 
be treated only as a command external to the shell.

If an application really wants to ensure the command is not handled as a shell 
built-in, it should use shell=False.

Making this clear in the documentation is reasonable.

--
nosy: +fdrake

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue26124] shlex.quote and pipes.quote do not quote shell keywords

[Serhiy Storchaka]

Serhiy Storchaka added the comment:

May be. But only if this doesn't make the documentation too verbose.

--
assignee:  -> docs@python
components: +Documentation
keywords: +easy
nosy: +docs@python
stage:  -> needs patch

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue26124] shlex.quote and pipes.quote do not quote shell keywords

[Charles Daffern]

Charles Daffern added the comment:

In that case, should the documentation specify that shlex.quote is unsuitable 
for quoting command names?

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue26124] shlex.quote and pipes.quote do not quote shell keywords

[Serhiy Storchaka]

Serhiy Storchaka added the comment:

This does not seem to be a serious problem. In any case the command is failed. 
And usually argv[0] is predefined command name, not arbitrary user input. To be 
sure that it is existing program, you can use shutil.which().

I would close this issue as "won't fix".

--
resolution:  -> wont fix

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue26124] shlex.quote and pipes.quote do not quote shell keywords

[Charles Daffern]

Charles Daffern added the comment:

It's definitely a corner case (in argv[0] position + is keyword), but here's an 
example:

>>> import subprocess
>>> import shlex
>>> subprocess.call(shlex.quote("done"), shell=True)
/bin/sh: 1: Syntax error: "done" unexpected
2

The expected output of this would be:

/bin/sh: 1: done: not found
127

This would be the output if shlex.quote("done") returned "'done'" or r'\done' 
or any other combination of escaped/quoted characters where the keyword would 
otherwise be.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue26124] shlex.quote and pipes.quote do not quote shell keywords

[Serhiy Storchaka]

Serhiy Storchaka added the comment:

Could you please provide an example?

--
nosy: +serhiy.storchaka

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue26124] shlex.quote and pipes.quote do not quote shell keywords

[SilentGhost]

Changes by SilentGhost :


--
components: +Library (Lib) -Extension Modules
nosy: +eric.araujo
versions:  -Python 2.7, Python 3.2, Python 3.3, Python 3.4, Python 3.5

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue26124] shlex.quote and pipes.quote do not quote shell keywords

[Charles Daffern]

New submission from Charles Daffern:

The shlex.quote and pipes.quote functions do not quote shell keywords.

Example shell keywords: done, time, coproc, while

Presumably the intent of the quote functions is to prevent the resulting string 
from altering the syntax of the script it is inserted into, which is why I 
think these need to be quoted.

We can't possibly know every shell keyword, so the only sensible thing to do 
here is to quote everything.

--
components: Extension Modules
messages: 258292
nosy: Charles Daffern
priority: normal
severity: normal
status: open
title: shlex.quote and pipes.quote do not quote shell keywords
type: behavior
versions: Python 2.7, Python 3.2, Python 3.3, Python 3.4, Python 3.5, Python 3.6

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com