I don't think this fixes the issue, since you could just put a quote in the string.

The way cmd works is it passes strings to the shell which executes them. I don't think it's feasible to sanitize all input strings, though we could (and perhaps should) switch to using pexec.

I also still don't understand the underlying threat model that this is attempting to mitigate.

I don't think this fixes the issue, since you could just put a quote in the string.

Yes, you are right, i wasn't thinking this through...

The way cmd works is it passes strings to the shell which executes them. I don't think it's feasible to sanitize all input strings, though we could (and perhaps should) switch to using pexec.

which pexec do you mean specifically?

I also still don't understand the underlying threat model that this is attempting to mitigate.

neither do i, just wanted to close some issues:D

ah: this doesn't work with python2, how important is still having python2 support for the project?

Working with python 2 is important. If we break backward compatibility in a big way that would probably need to be in a 3.x version of mininet.

I think the right way to fix this for the current version is to use host.pexec - then it doesn't go through the shell.

However, as I noted, I still don't understand the threat model this is attempting to mitigate.

Probably we also want to switch to using netcat as you suggested in #1103.

okay then let's postpone this (as i don't think it's that important anyway) for a future release.
should i close it?