Fixes a privately reported vuln

stamparm · Feb 28, 2023 · a299967 · a299967
1 parent bb4d24b
commit a299967
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/core/httpd.py b/core/httpd.py
@@ -396,7 +396,7 @@ def _login(self, params):
 
             if not IS_WIN:
                 try:
-                    subprocess.check_output("logger -p auth.info -t \"%s[%d]\" \"%s password for %s from %s port %s\"" % (NAME.lower(), os.getpid(), "Accepted" if valid else "Failed", params.get("username"), self.client_address[0], self.client_address[1]), stderr=subprocess.STDOUT, shell=True)
+                    subprocess.check_output(["logger", "-p", "auth.info", "-t", "%s[%d]" % (NAME.lower(), os.getpid()), "%s password for %s from %s port %s" % ("Accepted" if valid else "Failed", params.get("username"), self.client_address[0], self.client_address[1])], stderr=subprocess.STDOUT, shell=False)
                 except Exception:
                     if config.SHOW_DEBUG:
                         traceback.print_exc()