In <[EMAIL PROTECTED]>, Ksenia
Marasanova wrote:
> I have a simple ecard creation script on a website, where user can add
> text to a graphic. I use ImageMagick for it:
>
> # template_file => path to image template file
> # new_file => path to generated file
> # text => user input
> command = '''convert %s -font OfficinaSanITC-BookOS -pointsize 12
> -fill "#8C2F48" -draw "gravity north text 0,26 '%s'" %s''' % (
> template_file, text, new_file)
> system(command)
>
> I was wondering, is there a general way to escape the string entered
> by the user, to prevent code injection into command line?
Take a look at the "string-escape" encoding:
>>> evil = "'; rm -rf /;"
>>> command = "echo '%s'"
>>> print command % evil.encode('string-escape')
echo '\'; rm -rf /;'
> Will it
> always be safe, even when binary data is submitted through POST?
Don't know if it's always safe. Unprintable bytes like 0x00 will be
escaped as '\x00'.
Ciao,
Marc 'BlackJack' Rintsch
--
http://mail.python.org/mailman/listinfo/python-list
