From a7a60e34521843be4da3dc079f0cc19a1d4d2f61 Mon Sep 17 00:00:00 2001
From: "Shell.Xu" <shell909090@gmail.com>
Date: Fri, 20 Oct 2017 13:16:22 +0800
Subject: [PATCH] fix issue:
 https://github.com/shadowsocks/shadowsocks/issues/995 Command Execution

use list instead of string, prevent injection attack.
---
 utils/autoban.py | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/utils/autoban.py b/utils/autoban.py
index c7af0a5..44ed83c 100755
--- a/utils/autoban.py
+++ b/utils/autoban.py
@@ -24,9 +24,9 @@
 from __future__ import absolute_import, division, print_function, \
     with_statement
 
-import os
 import sys
 import argparse
+import subprocess
 
 if __name__ == '__main__':
     parser = argparse.ArgumentParser(description='See README')
@@ -47,7 +47,7 @@ if __name__ == '__main__':
                 ips[ip] += 1
             if ip not in banned and ips[ip] >= config.count:
                 banned.add(ip)
-                cmd = 'iptables -A INPUT -s %s -j DROP' % ip
-                print(cmd, file=sys.stderr)
+                cmd = ['iptables', '-A', 'INPUT', '-s', ip, '-j', 'DROP']
+                print(' '.join(cmd), file=sys.stderr)
                 sys.stderr.flush()
-                os.system(cmd)
+                subprocess.call(cmd)