Escaping shell commands

Inspector Chan tocapicha at
Sun Aug 31 03:27:44 CEST 2003


  I'm using some external data on shell commands which are to be
executed with os.system (other functions doesn't provide enough
flexibility for executing these shell lines).

  So I have decided to user re.escape() for escaping these data before
using it on the created command lines.

Quick example:

malicious external data in var 'data':

data= '; touch /home/user/I0wnzu'

shell command to be executed is 'command':

command= 'echo I am so happy' + re.escape(data)

This way the generated shell lines is:

echo I am so happy\;\ touch\ \/home\/user\/I0wnzu

With this example it looks safe... But I'm not quite sure about this
method of escaping input.

¿Is this breakable?
If so... ¿how?
¿Does anyone knows a better way to get this done?

More information about the Python-list mailing list