From f99d4f2d649d07fe7be420514c53090f11ec46a9 Mon Sep 17 00:00:00 2001
From: wanghuancoder <wanghuan29@baidu.com>
Date: Wed, 31 Jan 2024 09:49:31 +0800
Subject: [PATCH] Fix CVE-2024-0521 (#61032) (#61287)

This uses shlex for safe command parsing to fix arbitrary code injection

Co-authored-by: ndren <andreien@proton.me>
---
 python/paddle/utils/download.py | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/python/paddle/utils/download.py b/python/paddle/utils/download.py
index 2ff6e355fb915..30f02a20b969b 100644
--- a/python/paddle/utils/download.py
+++ b/python/paddle/utils/download.py
@@ -15,6 +15,7 @@
 import hashlib
 import os
 import os.path as osp
+import shlex
 import shutil
 import subprocess
 import sys
@@ -204,7 +205,8 @@ def _wget_download(url: str, fullname: str):
             'https',
         ), 'Only support https and http url'
         # using wget to download url
-        tmp_fullname = fullname + "_tmp"
+        tmp_fullname = shlex.quote(fullname + "_tmp")
+        url = shlex.quote(url)
         # –user-agent
         command = f'wget -O {tmp_fullname} -t {DOWNLOAD_RETRY_LIMIT} {url}'
         subprc = subprocess.Popen(