From 95292ad51a3f15c377fe731bf482b6ab5dc91ec3 Mon Sep 17 00:00:00 2001 From: Luke Faraone Date: Mon, 6 Jul 2020 19:11:34 +0000 Subject: [PATCH] Convert run_system_command to use _exec instead of _shell While probably harmless, use of _shell opens us up to argument injection via e.g. malformed device names. --- joycontrol/device.py | 2 +- joycontrol/server.py | 2 +- joycontrol/utils.py | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/joycontrol/device.py b/joycontrol/device.py index f92c0d6e..eddb59c4 100644 --- a/joycontrol/device.py +++ b/joycontrol/device.py @@ -59,7 +59,7 @@ async def set_class(self, cls='0x002508'): :param cls: default 0x002508 (Gamepad/joystick device class) """ logger.info(f'setting device class to {cls}...') - await utils.run_system_command(f'hciconfig {self._adapter_name} class {cls}') + await utils.run_system_command(['hciconfig', self._adapter_name, 'class', cls]) async def set_name(self, name: str): """ diff --git a/joycontrol/server.py b/joycontrol/server.py index 7d7a212b..9673ab7b 100644 --- a/joycontrol/server.py +++ b/joycontrol/server.py @@ -63,7 +63,7 @@ async def create_hid_server(protocol_factory, ctl_psm=17, itr_psm=19, device_id= # The Switch does not connect to the sockets if we don't. # For more info see: https://github.com/mart1nro/joycontrol/issues/8 logger.info('Restarting bluetooth service...') - await utils.run_system_command('systemctl restart bluetooth.service') + await utils.run_system_command(['systemctl', 'restart', 'bluetooth.service']) await asyncio.sleep(1) hid = HidDevice(device_id=device_id) diff --git a/joycontrol/utils.py b/joycontrol/utils.py index 4eadc318..e1389eff 100644 --- a/joycontrol/utils.py +++ b/joycontrol/utils.py @@ -65,8 +65,8 @@ def callback(future): async def run_system_command(cmd): - proc = await asyncio.create_subprocess_shell( - cmd, + proc = await asyncio.create_subprocess_exec( + *cmd, stdout=asyncio.subprocess.PIPE, stderr=asyncio.subprocess.PIPE)