Fix CVE-2024-0521 (#61032) (#61287)

This uses shlex for safe command parsing to fix arbitrary code injection Co-authored-by: ndren <andreien@proton.me>
PaddlePaddle · Jan 31, 2024 · f99d4f2 · f99d4f2
1 parent 0227a0d
commit f99d4f2
Showing 1 changed file with 3 additions and 1 deletion.
diff --git a/python/paddle/utils/download.py b/python/paddle/utils/download.py
@@ -15,6 +15,7 @@
 import hashlib
 import os
 import os.path as osp
+import shlex
 import shutil
 import subprocess
 import sys
@@ -204,7 +205,8 @@ def _wget_download(url: str, fullname: str):
             'https',
         ), 'Only support https and http url'
         # using wget to download url
-        tmp_fullname = fullname + "_tmp"
+        tmp_fullname = shlex.quote(fullname + "_tmp")
+        url = shlex.quote(url)
         # –user-agent
         command = f'wget -O {tmp_fullname} -t {DOWNLOAD_RETRY_LIMIT} {url}'
         subprc = subprocess.Popen(