More shell quoting

Strengthen things a little where shell=True is still being used. (For the most part input that passes through here would already be sanitised, but let's be careful anyway). Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
2025-07-05 13:14:46 +02:00 · 2019-05-01 10:03:14 +12:00 · 2019-05-01 10:03:14 +12:00 · 3cea37be47
commit 3cea37be47
parent 3c844beab2
2 changed files with 3 additions and 1 deletions
--- a/layerindex/tasks.py
+++ b/layerindex/tasks.py
@ -11,6 +11,7 @@ from . import utils
 import os
 import time
 import subprocess
+import shlex
 from datetime import datetime

 try:
@ -44,7 +45,7 @@ def run_update_command(self, branch_name, update_command):
    shell = False
    if isinstance(update_command, str):
        update_command = update_command.replace('%update%', str(updateobj.id))
-        update_command = update_command.replace('%branch%', branch_name)
+        update_command = update_command.replace('%branch%', shlex.quote(branch_name))
        shell = True
    try:
        os.makedirs(settings.TASK_LOG_DIR)
--- a/layerindex/tools/import_otherdistro.py
+++ b/layerindex/tools/import_otherdistro.py
@ -19,6 +19,7 @@ import glob
 import shutil
 import subprocess
 import string
+import shlex
 from distutils.version import LooseVersion

 sys.path.insert(0, os.path.realpath(os.path.join(os.path.dirname(__file__), '..')))