escape string for command line

[Ksenia Marasanova]

Hi,

I have a simple ecard creation script on a website, where user can add
text to a graphic. I use ImageMagick for it:

# template_file => path to image template file
# new_file => path to generated file
# text => user input
command = '''convert %s -font OfficinaSanITC-BookOS -pointsize 12
-fill "#8C2F48" -draw "gravity north text 0,26 '%s'" %s''' % (
template_file, text, new_file)
system(command)

I was wondering, is there a general way to escape the string entered
by the user, to prevent code injection into command line? Will it
always be safe, even when binary data is submitted through POST?
Or maybe some stable Python interface for ImageMagick that takes care of it

Thanks in advance,

 

[Marc 'BlackJack' Rintsch]

I have a simple ecard creation script on a website, where user can add
text to a graphic. I use ImageMagick for it:

# template_file => path to image template file
# new_file => path to generated file
# text => user input
command = '''convert %s -font OfficinaSanITC-BookOS -pointsize 12
-fill "#8C2F48" -draw "gravity north text 0,26 '%s'" %s''' % (
template_file, text, new_file)
system(command)

I was wondering, is there a general way to escape the string entered
by the user, to prevent code injection into command line?

Take a look at the "string-escape" encoding:
echo '\'; rm -rf /;'

Will it
always be safe, even when binary data is submitted through POST?

Don't know if it's always safe. Unprintable bytes like 0x00 will be
escaped as '\x00'.

Ciao,
Marc 'BlackJack' Rintsch

 

[Ksenia Marasanova]

Take a look at the "string-escape" encoding:

echo '\'; rm -rf /;'

Cool, thanks! Next time I'll study stdlib better before asking the question