Skip to content

Commit 831af8b

Browse files
authored
Remove shell=True from scripts (#2257)
* Remove shell=True from scripts
1 parent 8633484 commit 831af8b

18 files changed

+22
-18
lines changed

Diff for: README.md

+2-1
Original file line numberDiff line numberDiff line change
@@ -411,9 +411,10 @@ ControlNet dataset is used to specify the mask. The mask images should be the RG
411411
### 2024/04/10 (v23.1.5)
412412

413413
- Fix issue with Textual Inversion configuration file selection.
414-
- Upgrade to gradio 4.19.2 to fix several high security risks associated to earlier versions. Hoping this will not introduce undorseen issues.
414+
- Upgrade to gradio 4.19.2 to fix several high security risks associated to earlier versions. This is a major upgrade, moving from 3.x to 4.x. Hoping this will not introduce undorseen issues.
415415
- Upgrade transformers to 4.38.0 to fix a low severity security issue.
416416
- Add explicit --do_not_share parameter to kohya_gui.py to avoid sharing the GUI on platforms like Kaggle.
417+
- Remove shell=True from subprocess calls to avoid security issues when using the GUI.
417418

418419
### 2024/04/08 (v23.1.4)
419420

Diff for: _typos.toml

+1
Original file line numberDiff line numberDiff line change
@@ -27,6 +27,7 @@ rik="rik"
2727
koo="koo"
2828
yos="yos"
2929
wn="wn"
30+
parm = "parm"
3031

3132

3233
[files]

Diff for: kohya_gui/basic_caption_gui.py

+1-1
Original file line numberDiff line numberDiff line change
@@ -83,7 +83,7 @@ def caption_images(
8383
)
8484

8585
# Run the command based on the operating system
86-
subprocess.run(run_cmd, shell=True, env=env)
86+
subprocess.run(run_cmd, env=env)
8787

8888
# Check if overwrite option is enabled
8989
if overwrite:

Diff for: kohya_gui/blip_caption_gui.py

+1-1
Original file line numberDiff line numberDiff line change
@@ -79,7 +79,7 @@ def caption_images(
7979
)
8080

8181
# Run the command in the sd-scripts folder context
82-
subprocess.run(run_cmd, shell=True, env=env, cwd=f"{scriptdir}/sd-scripts")
82+
subprocess.run(run_cmd, env=env, cwd=f"{scriptdir}/sd-scripts")
8383

8484
# Add prefix and postfix
8585
add_pre_postfix(

Diff for: kohya_gui/class_command_executor.py

+1-1
Original file line numberDiff line numberDiff line change
@@ -28,7 +28,7 @@ def execute_command(self, run_cmd: str, **kwargs):
2828
if self.process and self.process.poll() is None:
2929
log.info("The command is already running. Please wait for it to finish.")
3030
else:
31-
self.process = subprocess.Popen(run_cmd, shell=True, **kwargs)
31+
self.process = subprocess.Popen(run_cmd, **kwargs)
3232

3333
def kill_command(self):
3434
"""

Diff for: kohya_gui/convert_lcm_gui.py

+1-1
Original file line numberDiff line numberDiff line change
@@ -59,7 +59,7 @@ def convert_lcm(name, model_path, lora_scale, model_type):
5959
)
6060

6161
# Run the command
62-
subprocess.run(run_cmd, shell=True, env=env)
62+
subprocess.run(run_cmd, env=env)
6363

6464
# Return a success message
6565
log.info("Done extracting...")

Diff for: kohya_gui/convert_model_gui.py

+1-1
Original file line numberDiff line numberDiff line change
@@ -104,7 +104,7 @@ def convert_model(
104104
)
105105

106106
# Run the command
107-
subprocess.run(run_cmd, shell=True, env=env)
107+
subprocess.run(run_cmd, env=env)
108108

109109

110110
###

Diff for: kohya_gui/extract_lora_from_dylora_gui.py

+1-1
Original file line numberDiff line numberDiff line change
@@ -64,7 +64,7 @@ def extract_dylora(
6464
)
6565

6666
# Run the command
67-
subprocess.run(run_cmd, shell=True, env=env)
67+
subprocess.run(run_cmd, env=env)
6868

6969
log.info("Done extracting DyLoRA...")
7070

Diff for: kohya_gui/extract_lora_gui.py

+1-1
Original file line numberDiff line numberDiff line change
@@ -102,7 +102,7 @@ def extract_lora(
102102
)
103103

104104
# Run the command
105-
subprocess.run(run_cmd, shell=True, env=env)
105+
subprocess.run(run_cmd, env=env)
106106

107107

108108
###

Diff for: kohya_gui/extract_lycoris_locon_gui.py

+1-1
Original file line numberDiff line numberDiff line change
@@ -110,7 +110,7 @@ def extract_lycoris_locon(
110110
)
111111

112112
# Run the command
113-
subprocess.run(run_cmd, shell=True, env=env)
113+
subprocess.run(run_cmd, env=env)
114114

115115
log.info("Done extracting...")
116116

Diff for: kohya_gui/finetune_gui.py

+4-2
Original file line numberDiff line numberDiff line change
@@ -517,10 +517,11 @@ def train_model(
517517
env["PYTHONPATH"] = (
518518
rf"{scriptdir}{os.pathsep}{scriptdir}/sd-scripts{os.pathsep}{env.get('PYTHONPATH', '')}"
519519
)
520+
env["TF_ENABLE_ONEDNN_OPTS"] = "0"
520521

521522
if not print_only:
522523
# Run the command
523-
subprocess.run(run_cmd, shell=True, env=env)
524+
subprocess.run(run_cmd, env=env)
524525

525526
# create images buckets
526527
if generate_image_buckets:
@@ -550,10 +551,11 @@ def train_model(
550551
env["PYTHONPATH"] = (
551552
rf"{scriptdir}{os.pathsep}{scriptdir}/sd-scripts{os.pathsep}{env.get('PYTHONPATH', '')}"
552553
)
554+
env["TF_ENABLE_ONEDNN_OPTS"] = "0"
553555

554556
if not print_only:
555557
# Run the command
556-
subprocess.run(run_cmd, shell=True, env=env)
558+
subprocess.run(run_cmd, env=env)
557559

558560
image_num = len(
559561
[

Diff for: kohya_gui/git_caption_gui.py

+1-1
Original file line numberDiff line numberDiff line change
@@ -51,7 +51,7 @@ def caption_images(
5151
)
5252

5353
# Run the command
54-
subprocess.run(run_cmd, shell=True, env=env)
54+
subprocess.run(run_cmd, env=env)
5555

5656
# Add prefix and postfix
5757
add_pre_postfix(

Diff for: kohya_gui/group_images_gui.py

+1-1
Original file line numberDiff line numberDiff line change
@@ -53,7 +53,7 @@ def group_images(
5353
)
5454

5555
# Run the command
56-
subprocess.run(run_cmd, shell=True, env=env)
56+
subprocess.run(run_cmd, env=env)
5757

5858
log.info("...grouping done")
5959

Diff for: kohya_gui/merge_lora_gui.py

+1-1
Original file line numberDiff line numberDiff line change
@@ -452,6 +452,6 @@ def merge_lora(
452452
)
453453

454454
# Run the command
455-
subprocess.run(run_cmd, shell=True, env=env)
455+
subprocess.run(run_cmd, env=env)
456456

457457
log.info("Done merging...")

Diff for: kohya_gui/merge_lycoris_gui.py

+1-1
Original file line numberDiff line numberDiff line change
@@ -56,7 +56,7 @@ def merge_lycoris(
5656
)
5757

5858
# Run the command
59-
subprocess.run(run_cmd, shell=True, env=env)
59+
subprocess.run(run_cmd, env=env)
6060

6161
log.info("Done merging...")
6262

Diff for: kohya_gui/resize_lora_gui.py

+1-1
Original file line numberDiff line numberDiff line change
@@ -83,7 +83,7 @@ def resize_lora(
8383
)
8484

8585
# Run the command
86-
subprocess.run(run_cmd, shell=True, env=env)
86+
subprocess.run(run_cmd, env=env)
8787

8888
log.info("Done resizing...")
8989

Diff for: kohya_gui/svd_merge_lora_gui.py

+1-1
Original file line numberDiff line numberDiff line change
@@ -99,7 +99,7 @@ def svd_merge_lora(
9999
)
100100

101101
# Run the command
102-
subprocess.run(run_cmd, shell=True, env=env)
102+
subprocess.run(run_cmd, env=env)
103103

104104

105105
###

Diff for: kohya_gui/wd14_caption_gui.py

+1-1
Original file line numberDiff line numberDiff line change
@@ -94,7 +94,7 @@ def caption_images(
9494
env["TF_ENABLE_ONEDNN_OPTS"] = "0"
9595

9696
# Run the command
97-
subprocess.run(run_cmd, shell=True, env=env)
97+
subprocess.run(run_cmd, env=env)
9898

9999
# Add prefix and postfix
100100
add_pre_postfix(

0 commit comments

Comments
 (0)