I
Inspector Chan
Hi,
I'm using some external data on shell commands which are to be
executed with os.system (other functions doesn't provide enough
flexibility for executing these shell lines).
So I have decided to user re.escape() for escaping these data before
using it on the created command lines.
Quick example:
malicious external data in var 'data':
data= '; touch /home/user/I0wnzu'
shell command to be executed is 'command':
command= 'echo I am so happy' + re.escape(data)
This way the generated shell lines is:
echo I am so happy\;\ touch\ \/home\/user\/I0wnzu
With this example it looks safe... But I'm not quite sure about this
method of escaping input.
¿Is this breakable?
If so... ¿how?
¿Does anyone knows a better way to get this done?
I'm using some external data on shell commands which are to be
executed with os.system (other functions doesn't provide enough
flexibility for executing these shell lines).
So I have decided to user re.escape() for escaping these data before
using it on the created command lines.
Quick example:
malicious external data in var 'data':
data= '; touch /home/user/I0wnzu'
shell command to be executed is 'command':
command= 'echo I am so happy' + re.escape(data)
This way the generated shell lines is:
echo I am so happy\;\ touch\ \/home\/user\/I0wnzu
With this example it looks safe... But I'm not quite sure about this
method of escaping input.
¿Is this breakable?
If so... ¿how?
¿Does anyone knows a better way to get this done?