From dd1404026a41ae68adfaaf7a0728fe7fa739943c Mon Sep 17 00:00:00 2001
From: Sebastian Pipping <sebastian@pipping.org>
Date: Wed, 18 Dec 2024 23:36:36 +0100
Subject: [PATCH 1/3] xml2lcovutil.py: Extract variable lcov

Signed-off-by: Sebastian Pipping <sebastian@pipping.org>
---
 bin/xml2lcovutil.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/bin/xml2lcovutil.py b/bin/xml2lcovutil.py
index 839e7e04..9795c3d4 100644
--- a/bin/xml2lcovutil.py
+++ b/bin/xml2lcovutil.py
@@ -121,8 +121,9 @@ def close(self):
         self._outf.close()
 
         if self._args.version and None == self._versionScript:
+            lcov = os.path.join(os.path.split(sys.argv[0])[0], 'lcov')
             cmd = "'%(lcov)s' -a '%(info)s' -o '%(info)s' --version-script '%(vers)s' %(checksum)s--rc compute_file_version=1 --branch-coverage --ignore inconsistent" % {
-                'lcov': os.path.join(os.path.split(sys.argv[0])[0], 'lcov'),
+                'lcov': lcov,
                 'checksum': "--checksum " if self._args.checksum else '',
                 'info': self._args.output,
                 'vers' : self._args.version,

From 170f36e3e4535f5c2e5b89ae82aa8b4b37dc7934 Mon Sep 17 00:00:00 2001
From: Sebastian Pipping <sebastian@pipping.org>
Date: Wed, 18 Dec 2024 23:40:47 +0100
Subject: [PATCH 2/3] xml2lcov: Stop allowing command injection via
 xml2lcovutil.py

Signed-off-by: Sebastian Pipping <sebastian@pipping.org>
---
 bin/xml2lcovutil.py | 18 +++++++++++-------
 1 file changed, 11 insertions(+), 7 deletions(-)

diff --git a/bin/xml2lcovutil.py b/bin/xml2lcovutil.py
index 9795c3d4..129ac3e5 100644
--- a/bin/xml2lcovutil.py
+++ b/bin/xml2lcovutil.py
@@ -122,14 +122,18 @@ def close(self):
 
         if self._args.version and None == self._versionScript:
             lcov = os.path.join(os.path.split(sys.argv[0])[0], 'lcov')
-            cmd = "'%(lcov)s' -a '%(info)s' -o '%(info)s' --version-script '%(vers)s' %(checksum)s--rc compute_file_version=1 --branch-coverage --ignore inconsistent" % {
-                'lcov': lcov,
-                'checksum': "--checksum " if self._args.checksum else '',
-                'info': self._args.output,
-                'vers' : self._args.version,
-            }
+            cmd = [
+                lcov,
+                "-a", self._args.output,
+                "-o", self._args.output,
+                "--version-script", self._args.version,
+                *(["--checksum"] if self._args.checksum else []),
+                "--rc", "compute_file_version=1",
+                "--branch-coverage",
+                "--ignore", "inconsistent",
+            ]
             try:
-                x = subprocess.run(cmd, shell=True, check=True, stdout=True, stderr=True)
+                x = subprocess.run(cmd, shell=False, check=True, stdout=True, stderr=True)
             except subprocess.CalledProcessError as err:
                 print("Error during lcov version append operation: %s" % (
                     str(err)))

From 21bfd416d6b93ec37803546896ab41f4ff50ce55 Mon Sep 17 00:00:00 2001
From: Sebastian Pipping <sebastian@pipping.org>
Date: Wed, 18 Dec 2024 23:44:04 +0100
Subject: [PATCH 3/3] py2lcov: Stop allowing command injection

Signed-off-by: Sebastian Pipping <sebastian@pipping.org>
---
 bin/py2lcov | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/bin/py2lcov b/bin/py2lcov
index b41a81de..ff15747a 100755
--- a/bin/py2lcov
+++ b/bin/py2lcov
@@ -191,10 +191,12 @@ Example:
         while os.path.exists(xml):
             xml = base + '.xml%d' % suffix
             suffix += 1
-        cmd = "COVERAGE_FILE='%s' '%s' xml -o '%s'" % (f, args.cover_cmd, xml)
+        env = os.environ.copy()
+        env["COVERAGE_FILE"] = f
+        cmd = [args.cover_cmd, "xml", "-o", xml]
         try:
-            #x = subprocess.run(cmd, capture_output=True, shell=True, check=True)
-            x = subprocess.run(cmd, shell=True, check=True, stdout=True, stderr=True)
+            #x = subprocess.run(cmd, capture_output=True, shell=False, check=True, env=env)
+            x = subprocess.run(cmd, shell=False, check=True, stdout=True, stderr=True, env=env)
         except subprocess.CalledProcessError as err:
             print("Error:  error during XML conversion of %s: %s" % (
                 f, str(err)));