[luci] Passing command line args to class luci.sys.call()
Jo-Philipp Wich
xm at subsignal.org
Tue May 14 10:37:50 CEST 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi.
> luci.sys.call("/bin/register $var1 $var2")
You could use luci.sys.call("/bin/register %q %q" %{ var1, var2 })
However keep in mind that this method of passing arguments is
dangerous as the entire command string passed to call() is run through
"/bin/sh -c" on your system, so whatever special characters are
embedded in the command are interpreted by the shell, means a username
like "test$(rm -rf /)" could inject arbritary commands into the system.
It is better to use nixio for a cleaner way of launching an external
command:
if nixio.fork() == 0 then
-- I'm the child
nixio.exec("/bin/register", var1, var2)
-- this is only reached if exec() failed
io.stderr:write("Oh no, can't exec\n")
end
Hth,
Jow
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlGR994ACgkQdputYINPTPM6DACcCT1FMqdo5Oaib6k/Mw7UqZc+
iLgAnir4qS6TAEJ/k9pzfUk8+xUCG88P
=3zqN
-----END PGP SIGNATURE-----
More information about the luci
mailing list