fix issue:

https://github.com/shadowsocks/shadowsocks/issues/995 Command Execution use list instead of string, prevent injection attack.
2017-10-20 13:16:22 +08:00 · 2017-10-20 13:16:22 +08:00 · a7a60e3452
commit a7a60e3452
parent 2ab8c6bf5d
1 changed files with 4 additions and 4 deletions
--- a/utils/autoban.py
+++ b/utils/autoban.py
@ -24,9 +24,9 @@
 from __future__ import absolute_import, division, print_function, \
    with_statement

-import os
 import sys
 import argparse
+import subprocess

 if __name__ == '__main__':
    parser = argparse.ArgumentParser(description='See README')
@ -47,7 +47,7 @@ if __name__ == '__main__':
                ips[ip] += 1
            if ip not in banned and ips[ip] >= config.count:
                banned.add(ip)
-                cmd = 'iptables -A INPUT -s %s -j DROP' % ip
-                print(cmd, file=sys.stderr)
+                cmd = ['iptables', '-A', 'INPUT', '-s', ip, '-j', 'DROP']
+                print(' '.join(cmd), file=sys.stderr)
                sys.stderr.flush()
-                os.system(cmd)
+                subprocess.call(cmd)