470,565 Members | 2,252 Online
Bytes | Developer Community
New Post

Home Posts Topics Members FAQ

Post your question to a community of 470,565 developers. It's quick & easy.

escape string for command line

Hi,

I have a simple ecard creation script on a website, where user can add
text to a graphic. I use ImageMagick for it:

# template_file => path to image template file
# new_file => path to generated file
# text => user input
command = '''convert %s -font OfficinaSanITC-BookOS -pointsize 12
-fill "#8C2F48" -draw "gravity north text 0,26 '%s'" %s''' % (
template_file, text, new_file)
system(command)

I was wondering, is there a general way to escape the string entered
by the user, to prevent code injection into command line? Will it
always be safe, even when binary data is submitted through POST?
Or maybe some stable Python interface for ImageMagick that takes care of it :)

Thanks in advance,
--
Ksenia
Jul 18 '05 #1
2 6542
In <ma**************************************@python.o rg>, Ksenia
Marasanova wrote:
I have a simple ecard creation script on a website, where user can add
text to a graphic. I use ImageMagick for it:

# template_file => path to image template file
# new_file => path to generated file
# text => user input
command = '''convert %s -font OfficinaSanITC-BookOS -pointsize 12
-fill "#8C2F48" -draw "gravity north text 0,26 '%s'" %s''' % (
template_file, text, new_file)
system(command)

I was wondering, is there a general way to escape the string entered
by the user, to prevent code injection into command line?
Take a look at the "string-escape" encoding:
evil = "'; rm -rf /;"
command = "echo '%s'"
print command % evil.encode('string-escape')

echo '\'; rm -rf /;'
Will it
always be safe, even when binary data is submitted through POST?


Don't know if it's always safe. Unprintable bytes like 0x00 will be
escaped as '\x00'.

Ciao,
Marc 'BlackJack' Rintsch
Jul 18 '05 #2
> >
I was wondering, is there a general way to escape the string entered
by the user, to prevent code injection into command line?


Take a look at the "string-escape" encoding:
evil = "'; rm -rf /;"
command = "echo '%s'"
print command % evil.encode('string-escape')

echo '\'; rm -rf /;'


Cool, thanks! Next time I'll study stdlib better before asking the question :)

--
Ksenia
Jul 18 '05 #3

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

6 posts views Thread by Paul Watson | last post: by
18 posts views Thread by Steve Litvack | last post: by
3 posts views Thread by Ken | last post: by
reply views Thread by Jeff Groves | last post: by
4 posts views Thread by JJ | last post: by
reply views Thread by Marijn | last post: by
By using this site, you agree to our Privacy Policy and Terms of Use.