sysinfo: Don't use shell in sysinfo collection

The use of shell in subprocess should not be needed and might bring some security issues. Let's disable it. Signed-off-by: N Lukáš Doktor <ldoktor@redhat.com> Signed-off-by: N Amador Pahim <apahim@redhat.com>

sysinfo: Don't use shell in sysinfo collection
The use of shell in subprocess should not be needed and might bring some security issues. Let's disable it. Signed-off-by: N Lukáš Doktor <ldoktor@redhat.com> Signed-off-by: N Amador Pahim <apahim@redhat.com>
97904054 · Amador Pahim · Lukáš Doktor · e2d8d8b9 · 97904054
隐藏空白更改
内联并排

Showing with 3 addition and 2 deletion

avocado/core/sysinfo.py avocado/core/sysinfo.py +3 -2

未找到文件。
--- a/avocado/core/sysinfo.py
+++ b/avocado/core/sysinfo.py
@@ -16,6 +16,7 @@ import gzip
 import json
 import logging
 import os
+import shlex
 import shutil
 import time
 import threading
@@ -222,8 +223,8 @@ class Daemon(Command):
        logf_path = os.path.join(logdir, self.logf)
        stdin = open(os.devnull, "r")
        stdout = open(logf_path, "w")
-        self.pipe = subprocess.Popen(self.cmd, stdin=stdin, stdout=stdout,
-                                     stderr=subprocess.STDOUT, shell=True, env=env)
+        self.pipe = subprocess.Popen(shlex.split(self.cmd), stdin=stdin, stdout=stdout,
+                                     stderr=subprocess.STDOUT, shell=False, env=env)

    def stop(self):
        """