Permalink
Browse files

Escape shell code.

  • Loading branch information...
1 parent a1cc88e commit 21280a724c3062f760e87941397d3a9d493f210b @mvidner committed May 16, 2012
Showing with 14 additions and 3 deletions.
  1. +0 −2 README.md
  2. +14 −1 ks-parse
View
@@ -46,5 +46,3 @@ Requirements:
* cURL
* Python 2 or Python 3
-
-FIXME ks-parse does not escape malicious input yet.
View
@@ -1,9 +1,22 @@
#!/usr/bin/env python
+"""Parse JSON output from Keystone /tokens
+and extract the token and URLs
+
+Takes care to quote properly so its output can be eval'd by the shell."""
import sys
import json
+import re
+
+def shellname(s):
+ "keep only those characters that are valid in a shell variable name"
+ return re.sub('[^A-Za-z0-9_]*','', s)
+
+def shellquote(s):
+ "make a single shell argument from s"
+ return "'" + s.replace("'", "'\\''") + "'"
def shellvar(name, value):
- print("export %s='%s'" % (name, value))
+ print("export %s=%s" % (shellname(name), shellquote(value)))
tokens = json.load(sys.stdin)

0 comments on commit 21280a7

Please sign in to comment.