I'd still like to see subprocess.Popen() in combination with it's Parameter shell=False in the code.
Please, do not use commands.getstatusoutput() , its unsave when there are arguments in the string wich the attacker can reach.
Subprocess.Popen() directs the arguments in a better way to the program you want to run , so the args can not execute an other program. https://docs.python.org/2/library/subprocess.html
And again, think about "quoting" if you still want to use commands.getstatusoutput() for some reason.
Quoting with shlex.quote(arg) should prevent shell command injection and ...
Quoting may also prevent an attacker to disable the firewall if he appends some valid ufw commands, not only shell commands ;-) https://docs.python.org/3/library/shlex.html#shlex.quote
Ok, the parameters are filtered now.
I'd still like to see subprocess.Popen() in combination with it's Parameter shell=False in the code. getstatusoutput () , its unsave when there are arguments in the string wich the attacker can reach. /docs.python. org/2/library/ subprocess. html
Please, do not use commands.
Subprocess.Popen() directs the arguments in a better way to the program you want to run , so the args can not execute an other program.
https:/
And again, think about "quoting" if you still want to use commands. getstatusoutput () for some reason. /docs.python. org/3/library/ shlex.html# shlex.quote
Quoting with shlex.quote(arg) should prevent shell command injection and ...
Quoting may also prevent an attacker to disable the firewall if he appends some valid ufw commands, not only shell commands ;-)
https:/
Greetings from germany
Bernd