Skip to content
Permalink
Browse files

shell=False is dangerous

Signed-off-by: Chris Warrick <kwpolska@gmail.com>
  • Loading branch information
Kwpolska committed Jun 11, 2015
1 parent 3ff2344 commit f1e95ef211c8e3189bf5cab33351256956a79f91
Showing with 4 additions and 5 deletions.
  1. +4 −5 nikola/plugins/command/auto/__init__.py
@@ -124,14 +124,13 @@ def _execute(self, options, args):
elif pyinotify is None:
req_missing(['pyinotify'], 'use the "auto" command')

arguments = ['build']
self.cmd_arguments = ['build']
if self.site.configuration_filename != 'conf.py':
arguments = ['--conf=' + self.site.configuration_filename] + arguments
self.cmd_arguments = ['--conf=' + self.site.configuration_filename] + self.cmd_arguments

self.command_line = 'nikola ' + ' '.join(arguments)

# Run an initial build so we are up-to-date
subprocess.call(["nikola"] + arguments)
subprocess.call(["nikola"] + self.cmd_arguments)

port = options and options.get('port')
self.snippet = '''<script>document.write('<script src="http://'
@@ -214,7 +213,7 @@ def __call__(self, environ, start_response):
exit(130)

def do_rebuild(self, event):
p = subprocess.Popen(self.command_line, shell=True, stderr=subprocess.PIPE)
p = subprocess.Popen(self.cmd_arguments, stderr=subprocess.PIPE)
if p.wait() != 0:
error = p.stderr.read()
self.logger.error(error)

0 comments on commit f1e95ef

Please sign in to comment.
You can’t perform that action at this time.