OpenMarine
In actions using command, allow full access - Printable Version

+- OpenMarine (https://forum.openmarine.net)
+-- Forum: OpenPlotter (https://forum.openmarine.net/forumdisplay.php?fid=1)
+--- Forum: Feature Requests (https://forum.openmarine.net/forumdisplay.php?fid=5)
+--- Thread: In actions using command, allow full access (/showthread.php?tid=1705)



In actions using command, allow full access - dolce - 2019-03-15

The code to run shell commands in the actions tab does not allow for special shell characters. In my case I simply want to provide a quoted parameter which includes spaces to the command. (It rings a piezo alarm and the parameter is a text string which plays in morse code to id the alarm.)

I see, in the file SK-bade_d.py, that openplotter uses the following to run the command:

Code:
text = text.split(' ')
subprocess.Popen(text)

While that is normally the recommended method to run external commands in python, in this case I believe it is more appropriate to use:

Code:
subprocess.Popen(text, shell=True)

Of course the python manuals warn against using this method. But in this case, anyone with access to input the command could simply enter 'rm -rf' and create plenty of havoc even with the code as written. In other words, we are not worried about shell injection here because the user is already given the ability to run any command. It seems to me that the user might as well have the full power of the shell, just like they do in a terminal window.

Btw, I was going to list this as a bug, but I realized that openplotter is actually working as designed. Thus it's not a bug, it's a feature request.


RE: In actions using command, allow full access - Sailoog - 2019-04-10

Actions in next OP version will be based on node-red, do you know if node-red is digesting what you want?


RE: In actions using command, allow full access - dolce - 2019-04-11

(2019-04-10, 08:33 PM)Sailoog Wrote: Actions in next OP version will be based on node-red, do you know if node-red is digesting what you want?

The exec node in node-red does indeed allow arbitrary shell commands. I'll wait and see what the next version brings as it seems it may resolve the problem. Thanks.