From 90b4dd09843f06cfaf9e394060dc26bf4409caae Mon Sep 17 00:00:00 2001
From: Zhiheng Liu <133497712+zhiheng-liu@users.noreply.github.com>
Date: Tue, 14 Nov 2023 12:47:30 +0800
Subject: [PATCH] Fix it (#58923)

* Quote paddle_binary_dir to prevent command injection.

* Quote paddle_binary_dir to prevent command injection.

* Update setup.py.in

Fixed command quoting bug.
---
 python/setup.py.in | 7 ++++++-
 setup.py           | 3 ++-
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/python/setup.py.in b/python/setup.py.in
index d904877af43ce..a8f8ad198ea43 100644
--- a/python/setup.py.in
+++ b/python/setup.py.in
@@ -9,6 +9,7 @@ import fnmatch
 import errno
 import platform
 import glob
+import shlex
 
 from contextlib import contextmanager
 from setuptools import Command
@@ -912,7 +913,11 @@ with open("@PADDLE_BINARY_DIR@/python/paddle/README.md", "r", encoding='UTF-8')
 
 # strip *.so to reduce package size
 if '${WITH_STRIP}' == 'ON':
-    command = 'find ${PADDLE_BINARY_DIR}/python/paddle -name "*.so" | xargs -i strip {}'
+    command = (
+        'find '
+        + shlex.quote('${PADDLE_BINARY_DIR}')
+        + '/python/paddle -name "*.so" | xargs -i strip {}'
+    )
     if os.system(command) != 0:
         raise Exception("strip *.so failed, command: %s" % command)
 
diff --git a/setup.py b/setup.py
index 15c2e55d09f0a..df2a2b8782805 100644
--- a/setup.py
+++ b/setup.py
@@ -19,6 +19,7 @@
 import os
 import platform
 import re
+import shlex
 import shutil
 import subprocess
 import sys
@@ -1699,7 +1700,7 @@ def main():
     if env_dict.get("WITH_STRIP") == 'ON':
         command = (
             'find '
-            + paddle_binary_dir
+            + shlex.quote(paddle_binary_dir)
             + '/python/paddle -name "*.so" | xargs -i strip {}'
         )
         if os.system(command) != 0: