[tech] [ucc] New Door/Dispense Server
Grahame Bowland
grahame at angrygoats.net
Tue Apr 12 23:49:41 WST 2011
Gentlepersons,
> $ cvs annotate VendServer.py | grep su
>
> Annotations for VendServer.py
> ***************
> 1.77 (mtearle 09-Apr-05): # should use sudo here
> 1.77 (mtearle 09-Apr-05): ret = os.system('su - "%s" -c "dispense door"'%vstatus.username)
> 1.77 (mtearle 09-Apr-05): if ((os.system('su - "%s" -c "dispense %s"'%(vstatus.username, vstatus.cur_selection[0])) >> 8) != 0):
>
> I'm not hugely convinced that users can do anything nasty with this but I
> agree that it should probably be replaced.
Instead of "%s" you probably want just %s and pipes.quote(vstatus.username).
That call takes care of making sure the argument is properly escaped.
More information about the tech
mailing list