I'm running flask on an Azure server and send data from a form using POST, as an argument to a python script.
Here's how I pass the argument to the script and run it
os.system("python3 script.py " + postArgument)
The output is displayed normally in the logs as it would on a terminal.
How do I get the output back onto the new web page?
You can use pipe , Here is how it is done
os.popen("python3 script.py " + postArgument).read()
From security perspective i would suggest you do some sanity check on the postArguements before using
EDIT:answering comment asking why sanity check
The code is vulnurable to command injection
Command injection is an attack in which the goal is execution of arbitrary commands on the host operating system via a vulnerable application. Command injection attacks are possible when an application passes unsafe user supplied data (forms, cookies, HTTP headers etc.) to a system shell. In this attack, the attacker-supplied operating system commands are usually executed with the privileges of the vulnerable application. Command injection attacks are possible largely due to insufficient input validation.
Let me try to demonstrate a possibile attack in your case if
postArgument = "blah ; rm -rf /"
then
os.popen("python3 script.py " + postArgument).read()
will be equalent to
os.popen("python3 script.py blah ; rm -rf /").read()
This will try to remove all the files in the systems .
How to avoid this
Either use pipes.Quote
import pipes
p = os.popen("python3 script.py " + pipes.quote(postArgument)).read()
or use subprocess,this is recomended since os.popen is depricated
import subprocess
p = subprocess.Popen(["python3", "script.py", postArguemnt])
Read here about command injection
