How to sanitize a file name (protect against shell injection)?

Question

How to sanitize a file name (protect against shell injection)?

What is the usual practice for disinfecting a file name from an external source (for example, an xml file) before using it as part of a subprocess (shell = False)?

Update: Before posting some parsed lines around, I would like to do some basic security checks. In this example, mpg123 (command line audio player) is used remotely to play the sound file.

filename = child.find("filename").text # e.g.: filename = "sound.mp3"
pid = subprocess.Popen(["mpg123"],"-R"], stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
command = "L "+filename+"\n"  
pid.stdin.write(command.encode())

+3

python subprocess sanitization

abw Jan 19 '11 at 11:46

source share

2 answers

, .

, . , . , os.path.isfile.

"" , , . , . "" ( ).

"" - . , (. ). , "" , , , , . , . , , .

+3

dietbuddha 19 . '11 14:15

Lennart Regebro · Accepted Answer · 2011-01-19T13:13:31+0000

File names do not need to be sanitized unless you use a shell or do nothing. Pythons open () will not execute any commands in the specified file name.

, , , , , , .

, , , . . , mp3- , , , .

How to sanitize a file name (protect against shell injection)?

More articles: