Fix it (#58923)

* Quote paddle_binary_dir to prevent command injection. * Quote paddle_binary_dir to prevent command injection. * Update setup.py.in Fixed command quoting bug.
PaddlePaddle · Nov 14, 2023 · 90b4dd0 · 90b4dd0
1 parent c32e0cb
commit 90b4dd0
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 2 deletions.
diff --git a/python/setup.py.in b/python/setup.py.in
@@ -9,6 +9,7 @@ import fnmatch
 import errno
 import platform
 import glob
+import shlex
 
 from contextlib import contextmanager
 from setuptools import Command
@@ -912,7 +913,11 @@ with open("@PADDLE_BINARY_DIR@/python/paddle/README.md", "r", encoding='UTF-8')
 
 # strip *.so to reduce package size
 if '${WITH_STRIP}' == 'ON':
-    command = 'find ${PADDLE_BINARY_DIR}/python/paddle -name "*.so" | xargs -i strip {}'
+    command = (
+        'find '
+        + shlex.quote('${PADDLE_BINARY_DIR}')
+        + '/python/paddle -name "*.so" | xargs -i strip {}'
+    )
     if os.system(command) != 0:
         raise Exception("strip *.so failed, command: %s" % command)
 

diff --git a/setup.py b/setup.py
@@ -19,6 +19,7 @@
 import os
 import platform
 import re
+import shlex
 import shutil
 import subprocess
 import sys
@@ -1699,7 +1700,7 @@ def main():
     if env_dict.get("WITH_STRIP") == 'ON':
         command = (
             'find '
-            + paddle_binary_dir
+            + shlex.quote(paddle_binary_dir)
             + '/python/paddle -name "*.so" | xargs -i strip {}'
         )
         if os.system(command) != 0: