SVilgelm · July 22, 2019 13:16 · Jan 16, 2018 · Jan 16, 2018
diff --git a/examples.md b/examples.md
@@ -0,0 +1,27 @@
+* <dl>
+    <dt>Old code</dt>
+    <dd><pre><code>exec_cmd('ping {ip}'.format(ip=ip))</code></pre></dd>
+    <dt>Rewritten code</dt>
+    <dd><pre><code>exec_cmd(format_cmd('ping {ip}', ip=ip))</code></pre></dd>
+    <dt>Examples</dt>
+    <dd><pre><code>format_cmd('ping {ip}', ip="$(rm -rf /)")
+  $ ping '$(rm -rf /)'
+  ping: cannot resolve $(rm -rf /): Unknown host </code></pre>
+    </dd>
+    <dd><pre><code>format_cmd('ping {ip}', ip='$(rm -rf '/')')
+  $ ping '$(rm -rf '"'"'/'"'"')'
+  ping: cannot resolve $(rm -rf '/'): Unknown host</code></pre>
+    </dd>
+</dl>
+
+* <dl>
+    <dt>Old code</dt>
+    <dd><pre><code>exec_cmd("python -c'print(\"{arg}\")'".format(arg=arg))</code></pre></dd>
+    <dt>Rewritten code</dt>
+    <dd><pre><code>exec_cmd(format_cmd("python -c'import sys; print(sys.argv[1])' {arg}", arg=arg))</code></pre></dd>
+    <dt>Examples</dt>
+    <dd><pre><code>format_cmd("python -c'import sys; print(sys.argv[1])' {arg}", arg="'$(rm -rf /)'")
+  $ python -c'import sys; print(sys.argv[1])' ''"'"'$(rm -rf /)'"'"''
+  '$(rm -rf /)'</code></pre>
+    </dd>
+</dl>
diff --git a/shell.py b/shell.py
@@ -0,0 +1,9 @@
+try:  # py3
+    from shlex import quote  # noqa
+except ImportError:  # py2
+    from pipes import quote  # noqa
+
+
+def format_cmd(cmd, *args, **kwargs):
+    return cmd.format(*[quote(str(i)) for i in args],
+                      **{k: quote(str(v)) for k, v in kwargs.items()})
No results found