From 97904054137ee804f2e4689aecd2a590cd2b7390 Mon Sep 17 00:00:00 2001
From: Amador Pahim <apahim@redhat.com>
Date: Fri, 15 Sep 2017 17:58:10 +0200
Subject: [PATCH] sysinfo: Don't use shell in sysinfo collection
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The use of shell in subprocess should not be needed and might bring some
security issues. Let's disable it.

Signed-off-by: Lukáš Doktor <ldoktor@redhat.com>
Signed-off-by: Amador Pahim <apahim@redhat.com>
---
 avocado/core/sysinfo.py | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/avocado/core/sysinfo.py b/avocado/core/sysinfo.py
index 3e145ba5..56e5826d 100644
--- a/avocado/core/sysinfo.py
+++ b/avocado/core/sysinfo.py
@@ -16,6 +16,7 @@ import gzip
 import json
 import logging
 import os
+import shlex
 import shutil
 import time
 import threading
@@ -222,8 +223,8 @@ class Daemon(Command):
         logf_path = os.path.join(logdir, self.logf)
         stdin = open(os.devnull, "r")
         stdout = open(logf_path, "w")
-        self.pipe = subprocess.Popen(self.cmd, stdin=stdin, stdout=stdout,
-                                     stderr=subprocess.STDOUT, shell=True, env=env)
+        self.pipe = subprocess.Popen(shlex.split(self.cmd), stdin=stdin, stdout=stdout,
+                                     stderr=subprocess.STDOUT, shell=False, env=env)
 
     def stop(self):
         """
-- 
GitLab