From 105a8ec07786f092d14293967e60ab007f366fa4 Mon Sep 17 00:00:00 2001
From: cuissedemouche <jonathan.delefosse@gmail.com>
Date: Thu, 12 Jan 2023 22:35:59 +0000
Subject: [PATCH] Security fix subprocess

Removed shell=True from subprocess, and correctly switch commands to lists.
---
 .gitignore                 |  4 ++++
 mediainfosama/__main__.py  |  2 ++
 mediainfosama/file_cmds.py | 11 +++++------
 3 files changed, 11 insertions(+), 6 deletions(-)
 create mode 100644 mediainfosama/__main__.py

diff --git a/.gitignore b/.gitignore
index 277aeb8..c9e71be 100644
--- a/.gitignore
+++ b/.gitignore
@@ -124,3 +124,7 @@ dmypy.json
 .pyre/
 
 TODO
+
+toBinary
+
+binary/
diff --git a/mediainfosama/__main__.py b/mediainfosama/__main__.py
new file mode 100644
index 0000000..84a62d6
--- /dev/null
+++ b/mediainfosama/__main__.py
@@ -0,0 +1,2 @@
+if __name__ == "__main__":
+    import main
\ No newline at end of file
diff --git a/mediainfosama/file_cmds.py b/mediainfosama/file_cmds.py
index 76b44d2..aa1055a 100644
--- a/mediainfosama/file_cmds.py
+++ b/mediainfosama/file_cmds.py
@@ -1,5 +1,4 @@
-import os, subprocess, json
-from shlex import quote
+import os, subprocess
 
 class FileCmds:
     def __init__(self, file_path):
@@ -19,7 +18,7 @@ class FileCmds:
         :type cmd: str
         :return: str   
         '''
-        process = subprocess.Popen(cmd, shell=True, stdout=subprocess.PIPE)
+        process = subprocess.Popen(cmd, stdout=subprocess.PIPE)
         output, error = process.communicate()
         return output
 
@@ -44,7 +43,7 @@ class FileCmds:
         :type inform: str
         :rtype: str   
         '''
-        bash_command = f"mediainfo --Inform={quote(inform)} {quote(self.file_path)}"
+        bash_command = ["mediainfo", f"--Inform={inform}", self.file_path]
         output = self.execute_bash(bash_command).decode('utf-8')
         return output
 
@@ -105,7 +104,7 @@ class FileCmds:
             output += "M: Menu\n\n"
 
         output += "\n"
-        output += self.execute_bash(f"mediainfo {quote(self.file_path)}").decode('utf-8')
+        output += self.execute_bash(["mediainfo", self.file_path]).decode('utf-8')
         return(output)
 
 
@@ -115,7 +114,7 @@ class FileCmds:
 
         :rtype: string
         '''
-        output = self.execute_bash(f"mediainfo --Full {quote(self.file_path)}").decode('utf-8')
+        output = self.execute_bash(["mediainfo", "--Full", self.file_path]).decode('utf-8')
         return output