diff options
author | Chris St. Pierre <chris.a.st.pierre@gmail.com> | 2011-08-05 08:24:22 -0400 |
---|---|---|
committer | Chris St. Pierre <chris.a.st.pierre@gmail.com> | 2011-08-05 08:24:22 -0400 |
commit | f4a35efec1b6a1e54d61cf1b8bfc83dd1d89eef7 (patch) | |
tree | 9c2a8c8daf8250c0aca46761381fe53488c3f839 /src/lib/Server/Admin | |
parent | ed85e40bcbce07cc5e2d67b985e48c836d0a9079 (diff) | |
download | bcfg2-f4a35efec1b6a1e54d61cf1b8bfc83dd1d89eef7.tar.gz bcfg2-f4a35efec1b6a1e54d61cf1b8bfc83dd1d89eef7.tar.bz2 bcfg2-f4a35efec1b6a1e54d61cf1b8bfc83dd1d89eef7.zip |
fixed security bugs with unescaped input to the shell
Diffstat (limited to 'src/lib/Server/Admin')
-rw-r--r-- | src/lib/Server/Admin/Viz.py | 7 |
1 files changed, 3 insertions, 4 deletions
diff --git a/src/lib/Server/Admin/Viz.py b/src/lib/Server/Admin/Viz.py index 3ab54e543..9b1e78821 100644 --- a/src/lib/Server/Admin/Viz.py +++ b/src/lib/Server/Admin/Viz.py @@ -86,11 +86,10 @@ class Viz(Bcfg2.Server.Admin.MetadataCore): else: format = 'png' - cmd = "dot -T%s" % (format) + cmd = ["dot", "-T", format] if output: - cmd += " -o %s" % output - dotpipe = Popen(cmd, shell=True, stdin=PIPE, - stdout=PIPE, close_fds=True) + cmd.extend(["-o", output]) + dotpipe = Popen(cmd, stdin=PIPE, stdout=PIPE, close_fds=True) try: dotpipe.stdin.write("digraph groups {\n") except: |