<div dir="ltr">Hi,<div><br></div><div>Thanks for the quick response :-)<br><div><br></div><div>I'm already in the process of changing my program because I'll get the change faster, but some of the things I want to run using this method are not under my control and I'll need another solution for those. I guess I can work my way around this using a shell script, but then I have to maintain a pair of them (Linux and Windows) in some cases. Maybe I'll end up writing a Python wrapper instead, but it's still boilerplate that I would prefer avoiding.</div><div><br></div><div>Concerning shell redirection... I would be ready to live with explicit "stdout=..." and "stderr=..." options in my testenv sections. I simply said I tried it and it didn't work, not that I really want this built into Tox. Anyways, I'm pretty confident that I can hack up a way to parse the string to extract the redirection operators and then use a safer technique (can't be that hard), but I'm wondering what the security concern is. The subprocess module warns against using this technique to run a command that comes from untrusted user input, which I doubt is the case here. Besides, if I work around this issue by delegating the task to a shell script, how am I any safer?</div><div><br></div><div>André</div></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Jun 13, 2016 at 4:32 PM, Ian Cordasco <span dir="ltr"><<a href="mailto:graffatcolmingov@gmail.com" target="_blank">graffatcolmingov@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">So, let's look at how we might take a command from tox and use<br>
subprocess to run it:<br>
<br>
import shlex<br>
import subprocess<br>
<br>
command_string = 'echo "foo" > ex.txt'<br>
p = subprocess.Popen(shlex.split(command_string),<br>
stdout=subprocess.PIPE, stderr=subprocess.PIPE)<br>
(out, _) = p.communicate()<br>
print(out)<br>
<br>
What you'll see printed is:<br>
<br>
"foo" > ex.txt<br>
<br>
In other words, subprocess is limited to being secure by default and<br>
doesn't allow shell redirection for good reasons. What you can do<br>
instead is write a tiny bash/bat script that does the redirection for<br>
you and then call that. Alternatively you could teach the program to<br>
put its output into a file. (Flake8, for example, added --output-file<br>
for this exact use case quite a while back.)<br>
<br>
In other words, to add redirection into tox you have to teach it about<br>
shell semantics and potentially weaken its security stance.<br>
<div><div class="h5"><br>
<br>
<br>
On Mon, Jun 13, 2016 at 3:14 PM, André Caron <<a href="mailto:andre.l.caron@gmail.com">andre.l.caron@gmail.com</a>> wrote:<br>
> Thanks, I'll take a crack at that!<br>
><br>
> I hadn't noticed before, but by fiddling around a bit, but it looks like:<br>
> - Tox merges stdout and stderr of the commands into Tox's stdout.<br>
> - shell redirection inside the commands doesn't work (at least on Windows).<br>
><br>
> Intuitively, I would expect stderr from my commands to be forwarded to<br>
> stderr. Since this is not the case, I was willing to fall back onto<br>
> redirecting stdout from my process directly to a file, but then I can't do<br>
> that inside my Tox.ini file as my command gets the ">foo.log" as a CLI<br>
> argument.<br>
><br>
> Is there any non-obvious rationale for this? If not, would you consider<br>
> changes in this behavior?<br>
><br>
> Thanks!<br>
><br>
> André<br>
><br>
><br>
> On Mon, Jun 13, 2016 at 12:54 PM, Florian Bruhin <<a href="mailto:me@the-compiler.org">me@the-compiler.org</a>><br>
> wrote:<br>
>><br>
>> Hey André,<br>
>><br>
>> * André Caron <<a href="mailto:andre.l.caron@gmail.com">andre.l.caron@gmail.com</a>> [2016-06-13 12:07:37 -0400]:<br>
>> > I looked through Tox' docs and CLI help, but I can't find a "silent"<br>
>> > mode<br>
>> > or a way to force (only) Tox to write to stderr.<br>
>> ><br>
>> > Do you have anything to recommend? If not, any chance you would<br>
>> > consider a<br>
>> > patch to introduce a silent mode or a config change to send Tox' logs to<br>
>> > stederr?<br>
>><br>
>> There's an issue for a -q flag, but nobody worked on it so far:<br>
>> <a href="https://bitbucket.org/hpk42/tox/issues/256/" rel="noreferrer" target="_blank">https://bitbucket.org/hpk42/tox/issues/256/</a><br>
>><br>
>> I still want to work on that, but never got to it with all the other<br>
>> FOSS stuff I do :) So if you want to work on a patch, please do!<br>
>><br>
>> Florian<br>
>><br>
>> --<br>
>> <a href="http://www.the-compiler.org" rel="noreferrer" target="_blank">http://www.the-compiler.org</a> | <a href="mailto:me@the-compiler.org">me@the-compiler.org</a> (Mail/XMPP)<br>
>> GPG: 916E B0C8 FD55 A072 | <a href="http://the-compiler.org/pubkey.asc" rel="noreferrer" target="_blank">http://the-compiler.org/pubkey.asc</a><br>
>> I love long mails! | <a href="http://email.is-not-s.ms/" rel="noreferrer" target="_blank">http://email.is-not-s.ms/</a><br>
><br>
><br>
><br>
</div></div>> _______________________________________________<br>
> testing-in-python mailing list<br>
> <a href="mailto:testing-in-python@lists.idyll.org">testing-in-python@lists.idyll.org</a><br>
> <a href="http://lists.idyll.org/listinfo/testing-in-python" rel="noreferrer" target="_blank">http://lists.idyll.org/listinfo/testing-in-python</a><br>
><br>
</blockquote></div><br></div>