By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
443,400 Members | 903 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 443,400 IT Pros & Developers. It's quick & easy.

escape string for command line

P: n/a
Hi,

I have a simple ecard creation script on a website, where user can add
text to a graphic. I use ImageMagick for it:

# template_file => path to image template file
# new_file => path to generated file
# text => user input
command = '''convert %s -font OfficinaSanITC-BookOS -pointsize 12
-fill "#8C2F48" -draw "gravity north text 0,26 '%s'" %s''' % (
template_file, text, new_file)
system(command)

I was wondering, is there a general way to escape the string entered
by the user, to prevent code injection into command line? Will it
always be safe, even when binary data is submitted through POST?
Or maybe some stable Python interface for ImageMagick that takes care of it :)

Thanks in advance,
--
Ksenia
Jul 18 '05 #1
Share this Question
Share on Google+
2 Replies


P: n/a
In <ma**************************************@python.o rg>, Ksenia
Marasanova wrote:
I have a simple ecard creation script on a website, where user can add
text to a graphic. I use ImageMagick for it:

# template_file => path to image template file
# new_file => path to generated file
# text => user input
command = '''convert %s -font OfficinaSanITC-BookOS -pointsize 12
-fill "#8C2F48" -draw "gravity north text 0,26 '%s'" %s''' % (
template_file, text, new_file)
system(command)

I was wondering, is there a general way to escape the string entered
by the user, to prevent code injection into command line?
Take a look at the "string-escape" encoding:
evil = "'; rm -rf /;"
command = "echo '%s'"
print command % evil.encode('string-escape')

echo '\'; rm -rf /;'
Will it
always be safe, even when binary data is submitted through POST?


Don't know if it's always safe. Unprintable bytes like 0x00 will be
escaped as '\x00'.

Ciao,
Marc 'BlackJack' Rintsch
Jul 18 '05 #2

P: n/a
> >
I was wondering, is there a general way to escape the string entered
by the user, to prevent code injection into command line?


Take a look at the "string-escape" encoding:
evil = "'; rm -rf /;"
command = "echo '%s'"
print command % evil.encode('string-escape')

echo '\'; rm -rf /;'


Cool, thanks! Next time I'll study stdlib better before asking the question :)

--
Ksenia
Jul 18 '05 #3

This discussion thread is closed

Replies have been disabled for this discussion.