Fix unfailing CheckExternalCommands

On Unix, with shell=True, the shell default to /bin/sh. Using Popen(['type', command], shell=True) is equivalent to calling Popen(['/bin/sh', '-c', 'type', command]). In this case 'command' becomes a positional parameter to the shell, and not an argument to the command 'type'. The solution is to pass a single string as parameter. The problem is that with shell=True, we are never safe from a shell injection, so it is wiser to use a python only solution. The package distutils is part of the standard distribution, so it doesn't add extra dependencies. The method find_executable has the same behaviour as 'which' on bash.
2025-08-22 18:00:35 +00:00 · 2017-05-26 04:20:56 +02:00 · 2017-05-26 04:20:56 +02:00 · df3a200df3
commit df3a200df3
parent 0fa83961b8
1 changed files with 5 additions and 5 deletions
--- a/bootstrapvz/common/tasks/host.py
+++ b/bootstrapvz/common/tasks/host.py
@ -9,14 +9,14 @@ class CheckExternalCommands(Task):

    @classmethod
    def run(cls, info):
-        from ..tools import log_check_call
-        from subprocess import CalledProcessError
        import re
+        import logging
+        from distutils.spawn import find_executable
        missing_packages = []
+        log = logging.getLogger(__name__)
        for command, package in info.host_dependencies.items():
-            try:
-                log_check_call(['type', command], shell=True)
-            except CalledProcessError:
+            log.debug('Checking availability of ' + command)
+            if find_executable(command) is None:
                if re.match('^https?:\/\/', package):
                    msg = ('The command `{command}\' is not available, '
                           'you can download the software at `{package}\'.'