quotes aren't the only problem, the "!" character, for instance, is used for history expansion by bash, and when improperly quoted results in an error message; in my case the sysadmin decided to use an automatically generated string as a passphrase, and it contained '!' and '"', and the generated psk was always None. Also, a correctly crafted passphrase allows the user to run anything with root privileges, so something like this:
quotes aren't the only problem, the "!" character, for instance, is used for history expansion by bash, and when improperly quoted results in an error message; in my case the sysadmin decided to use an automatically generated string as a passphrase, and it contained '!' and '"', and the generated psk was always None. Also, a correctly crafted passphrase allows the user to run anything with root privileges, so something like this:
escape_re = re.compile( '(?=[^a- zA-Z0-9_ .\/\-\x7F- \xFF])' )
def shell_escape(data): re.sub( '\\\\', data)
return escape_
in misc.py could be a good idea.