This forum uses cookies
This forum makes use of cookies to store your login information if you are registered, and your last visit if you are not. Cookies are small text documents stored on your computer; the cookies set by this forum can only be used on this website and pose no security risk. Cookies on this forum also track the specific topics you have read and when you last read them. Please confirm whether you accept or reject these cookies being set.

A cookie will be stored in your browser regardless of choice to prevent you being asked this question again. You will be able to change your cookie settings at any time using the link in the footer.

Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
In actions using command, allow full access
#1
The code to run shell commands in the actions tab does not allow for special shell characters. In my case I simply want to provide a quoted parameter which includes spaces to the command. (It rings a piezo alarm and the parameter is a text string which plays in morse code to id the alarm.)

I see, in the file SK-bade_d.py, that openplotter uses the following to run the command:

Code:
text = text.split(' ')
subprocess.Popen(text)

While that is normally the recommended method to run external commands in python, in this case I believe it is more appropriate to use:

Code:
subprocess.Popen(text, shell=True)

Of course the python manuals warn against using this method. But in this case, anyone with access to input the command could simply enter 'rm -rf' and create plenty of havoc even with the code as written. In other words, we are not worried about shell injection here because the user is already given the ability to run any command. It seems to me that the user might as well have the full power of the shell, just like they do in a terminal window.

Btw, I was going to list this as a bug, but I realized that openplotter is actually working as designed. Thus it's not a bug, it's a feature request.
Reply
#2
Actions in next OP version will be based on node-red, do you know if node-red is digesting what you want?
Reply
#3
(2019-04-10, 08:33 PM)Sailoog Wrote: Actions in next OP version will be based on node-red, do you know if node-red is digesting what you want?

The exec node in node-red does indeed allow arbitrary shell commands. I'll wait and see what the next version brings as it seems it may resolve the problem. Thanks.
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)