Package: python3-minimal
Version: 3.9.2-3
Severity: normal
X-Debbugs-Cc: danseb...@gmail.com
Dear Maintainer,
The from_files function in /usr/share/python3/debpython/files.py passes its
argument to the shell. It calls `Popen("/usr/bin/dpkg -L %s" %
package_name, shell=True)`, executing the contents of package_name as code.
A safe alternative is `subprocess.run("/usr/bin/dpkg", "-L", package_name)`.
A consequence of this is that `py3clean "--package=; touch /tmp/hello"`
runs the embedded command and shows the incorrect error message
"dpkg-query: error: --listfiles needs at least one package name argument"
instead of e.g. "dpkg-query: package '; touch /tmp/hello' is not installed".
Yours faithfully,
Dan
