garry saddington wrote:
> On Fri, 2006-05-19 at 09:01 +0200, Tino Wildenhain wrote:
>> garry saddington wrote:
>>> This code on linux works without a problem
>>>
>>> ispell = os.popen("echo " + word +
>>> | /opt/scholarpack/ancillary/ispell/bin/ispell -a")
>>> ispell.readline
>>> sentence = ispell.readline()
>>
>> What if the word is like `rm -rf /`
> It is impossible for this to happen because of other controls in place.

Well Zope isnt PHP. You dont need to create potential security
problems if the fix is much more easier then your bunch of (untested)
code you believe prevents it from happen.

>>   for example?
>> Doing something like that above is completely
>> creazy :( There are actually 3 different popen()
>> variants - 2 of them give you stdin too so you better
>> use this to write the "word" to ispells stdin.
>> Don't use echo or something like this!
>> ...
>>> however on windows it throws a string index out of range at the
>>> sentence[0] constructs.
...

> I am not bothered about the paths, that is not the question. Both
> commands work in their respective environments. It is the sequence[0]
> that throws the error so I am looking at differences in the way the
> results are returned from ispell.readline()
> regards
> Garry


Well, what if you try it out in the interactive interpreter?
if sequence is an empty list, accessing [0] index will give
you that error you see. So your code above does not work
as expected. See also the comment regarding "echo", Fred made.

Regards
Tino

_______________________________________________
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )

Reply via email to