py2lcov: Stop allowing command injection

Signed-off-by: Sebastian Pipping <[email protected]>

Author: hartwork

bin/py2lcov

@@ -191,10 +191,12 @@ Example:
         while os.path.exists(xml):
             xml = base + '.xml%d' % suffix
             suffix += 1
-        cmd = "COVERAGE_FILE='%s' '%s' xml -o '%s'" % (f, args.cover_cmd, xml)
+        env = os.environ.copy()
+        env["COVERAGE_FILE"] = f
+        cmd = [args.cover_cmd, "xml", "-o", xml]
         try:
-            #x = subprocess.run(cmd, capture_output=True, shell=True, check=True)
-            x = subprocess.run(cmd, shell=True, check=True, stdout=True, stderr=True)
+            #x = subprocess.run(cmd, capture_output=True, shell=False, check=True, env=env)
+            x = subprocess.run(cmd, shell=False, check=True, stdout=True, stderr=True, env=env)
         except subprocess.CalledProcessError as err:
             print("Error:  error during XML conversion of %s: %s" % (
                 f, str(err)));