escape string for command line

Discussion in 'Python' started by Ksenia Marasanova, Jan 7, 2005.

  1. Hi,

    I have a simple ecard creation script on a website, where user can add
    text to a graphic. I use ImageMagick for it:

    # template_file => path to image template file
    # new_file => path to generated file
    # text => user input
    command = '''convert %s -font OfficinaSanITC-BookOS -pointsize 12
    -fill "#8C2F48" -draw "gravity north text 0,26 '%s'" %s''' % (
    template_file, text, new_file)
    system(command)

    I was wondering, is there a general way to escape the string entered
    by the user, to prevent code injection into command line? Will it
    always be safe, even when binary data is submitted through POST?
    Or maybe some stable Python interface for ImageMagick that takes care of it :)

    Thanks in advance,
    --
    Ksenia
     
    Ksenia Marasanova, Jan 7, 2005
    #1
    1. Advertising

  2. In <>, Ksenia
    Marasanova wrote:

    > I have a simple ecard creation script on a website, where user can add
    > text to a graphic. I use ImageMagick for it:
    >
    > # template_file => path to image template file
    > # new_file => path to generated file
    > # text => user input
    > command = '''convert %s -font OfficinaSanITC-BookOS -pointsize 12
    > -fill "#8C2F48" -draw "gravity north text 0,26 '%s'" %s''' % (
    > template_file, text, new_file)
    > system(command)
    >
    > I was wondering, is there a general way to escape the string entered
    > by the user, to prevent code injection into command line?


    Take a look at the "string-escape" encoding:

    >>> evil = "'; rm -rf /;"
    >>> command = "echo '%s'"
    >>> print command % evil.encode('string-escape')

    echo '\'; rm -rf /;'

    > Will it
    > always be safe, even when binary data is submitted through POST?


    Don't know if it's always safe. Unprintable bytes like 0x00 will be
    escaped as '\x00'.

    Ciao,
    Marc 'BlackJack' Rintsch
     
    Marc 'BlackJack' Rintsch, Jan 8, 2005
    #2
    1. Advertising

  3. > >
    > > I was wondering, is there a general way to escape the string entered
    > > by the user, to prevent code injection into command line?

    >
    > Take a look at the "string-escape" encoding:
    >
    > >>> evil = "'; rm -rf /;"
    > >>> command = "echo '%s'"
    > >>> print command % evil.encode('string-escape')

    > echo '\'; rm -rf /;'


    Cool, thanks! Next time I'll study stdlib better before asking the question :)

    --
    Ksenia
     
    Ksenia Marasanova, Jan 8, 2005
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Lucas Cowald
    Replies:
    4
    Views:
    1,139
    Tohid
    Oct 23, 2003
  2. Joe
    Replies:
    8
    Views:
    449
  3. Replies:
    4
    Views:
    3,073
    Robert Mark Bram
    Oct 31, 2006
  4. Replies:
    19
    Views:
    1,187
    Daniel Vallstrom
    Mar 15, 2005
  5. slomo
    Replies:
    5
    Views:
    1,631
    Duncan Booth
    Dec 2, 2007
Loading...

Share This Page