lingarajg opened a new pull request, #3729: URL: https://github.com/apache/ambari/pull/3729
## What changes were proposed in this pull request ? Subprocess module allows us to execute command on the shell but usage of shell=true poses a security risk where user inputs with "rm -rf" can cause terrible things. To avoid shell-injection vulnerabilities, subprocess can be used without shell=true, by modifying the way input is passed. Some of the examples can be found like - https://security.openstack.org/guidelines/dg_avoid-shell-true.html Hence, shell=false is changed in most of the places wherever shell=True is used and command is converted to a list of strings by using shlex module. ## How was this patch tested? This patch is manually tested by making changes on a existing cluster and restarting the appropriate services. Did not observe any failure in Ambari server or agent. All services were working as expected. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@ambari.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@ambari.apache.org For additional commands, e-mail: dev-h...@ambari.apache.org
