Escaping shell commands
Inspector Chan
tocapicha at hotmail.com
Sat Aug 30 21:27:44 EDT 2003
Hi,
I'm using some external data on shell commands which are to be
executed with os.system (other functions doesn't provide enough
flexibility for executing these shell lines).
So I have decided to user re.escape() for escaping these data before
using it on the created command lines.
Quick example:
malicious external data in var 'data':
data= '; touch /home/user/I0wnzu'
shell command to be executed is 'command':
command= 'echo I am so happy' + re.escape(data)
This way the generated shell lines is:
echo I am so happy\;\ touch\ \/home\/user\/I0wnzu
With this example it looks safe... But I'm not quite sure about this
method of escaping input.
¿Is this breakable?
If so... ¿how?
¿Does anyone knows a better way to get this done?
More information about the Python-list
mailing list