2019-03-15, 04:20 AM
The code to run shell commands in the actions tab does not allow for special shell characters. In my case I simply want to provide a quoted parameter which includes spaces to the command. (It rings a piezo alarm and the parameter is a text string which plays in morse code to id the alarm.)
I see, in the file SK-bade_d.py, that openplotter uses the following to run the command:
While that is normally the recommended method to run external commands in python, in this case I believe it is more appropriate to use:
Of course the python manuals warn against using this method. But in this case, anyone with access to input the command could simply enter 'rm -rf' and create plenty of havoc even with the code as written. In other words, we are not worried about shell injection here because the user is already given the ability to run any command. It seems to me that the user might as well have the full power of the shell, just like they do in a terminal window.
Btw, I was going to list this as a bug, but I realized that openplotter is actually working as designed. Thus it's not a bug, it's a feature request.
I see, in the file SK-bade_d.py, that openplotter uses the following to run the command:
Code:
text = text.split(' ')
subprocess.Popen(text)
While that is normally the recommended method to run external commands in python, in this case I believe it is more appropriate to use:
Code:
subprocess.Popen(text, shell=True)
Of course the python manuals warn against using this method. But in this case, anyone with access to input the command could simply enter 'rm -rf' and create plenty of havoc even with the code as written. In other words, we are not worried about shell injection here because the user is already given the ability to run any command. It seems to me that the user might as well have the full power of the shell, just like they do in a terminal window.
Btw, I was going to list this as a bug, but I realized that openplotter is actually working as designed. Thus it's not a bug, it's a feature request.