Skip to content

Commit 170f36e

Browse files
hartworkhartwork
committed
xml2lcov: Stop allowing command injection via xml2lcovutil.py
Signed-off-by: Sebastian Pipping <[email protected]>
1 parent dd14040 commit 170f36e

File tree

1 file changed

+11
-7
lines changed

1 file changed

+11
-7
lines changed

bin/xml2lcovutil.py

Lines changed: 11 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -122,14 +122,18 @@ def close(self):
122122

123123
if self._args.version and None == self._versionScript:
124124
lcov = os.path.join(os.path.split(sys.argv[0])[0], 'lcov')
125-
cmd = "'%(lcov)s' -a '%(info)s' -o '%(info)s' --version-script '%(vers)s' %(checksum)s--rc compute_file_version=1 --branch-coverage --ignore inconsistent" % {
126-
'lcov': lcov,
127-
'checksum': "--checksum " if self._args.checksum else '',
128-
'info': self._args.output,
129-
'vers' : self._args.version,
130-
}
125+
cmd = [
126+
lcov,
127+
"-a", self._args.output,
128+
"-o", self._args.output,
129+
"--version-script", self._args.version,
130+
*(["--checksum"] if self._args.checksum else []),
131+
"--rc", "compute_file_version=1",
132+
"--branch-coverage",
133+
"--ignore", "inconsistent",
134+
]
131135
try:
132-
x = subprocess.run(cmd, shell=True, check=True, stdout=True, stderr=True)
136+
x = subprocess.run(cmd, shell=False, check=True, stdout=True, stderr=True)
133137
except subprocess.CalledProcessError as err:
134138
print("Error during lcov version append operation: %s" % (
135139
str(err)))

0 commit comments

Comments
 (0)