Refactored subtitle post-processing to use shlex.split for safer subprocess invocation (fixing CWE-78) and replaced _escape with _double_quotes for cleaner variable substitution logic.

Author: morpheus65535

bazarr/subtitles/post_processing.py

@@ -4,6 +4,7 @@
 import os
 import logging
 import subprocess
+import shlex
 
 from locale import getpreferredencoding
 
@@ -15,8 +16,9 @@ def postprocessing(command, path):
             from ctypes import windll
             code_page = windll.kernel32.GetConsoleOutputCP()
             encoding = f"cp{code_page}"
-            
-        process = subprocess.Popen(command, shell=True, stdout=subprocess.PIPE,
+
+        args = shlex.split(command)  # parse into argv list
+        process = subprocess.Popen(args, shell=False, stdout=subprocess.PIPE,
                                    stderr=subprocess.PIPE, encoding=encoding)
         # wait for the process to terminate
         out, err = process.communicate()

bazarr/utilities/post_processing.py

@@ -8,38 +8,36 @@
 from app.config import settings
 
 
-# Wraps the input string within quotes & escapes the string
-def _escape(in_str):
-    raw_map = {8: r'\\b', 7: r'\\a', 12: r'\\f', 10: r'\\n', 13: r'\\r', 9: r'\\t', 11: r'\\v', 34: r'\"', 92: r'\\'}
-    raw_str = r''.join(raw_map.get(ord(i), i) for i in in_str)
-    return f"\"{raw_str}\""
+# Wraps the input string within double quotes
+def _double_quotes(in_str):
+    return f"\"{in_str}\""
 
 
 def pp_replace(pp_command, episode, subtitles, language, language_code2, language_code3, episode_language,
                episode_language_code2, episode_language_code3, score, subtitle_id, provider, uploader,
                release_info, series_id, episode_id):
-    pp_command = re.sub(r'[\'"]?{{directory}}[\'"]?', _escape(os.path.dirname(episode)), pp_command)
-    pp_command = re.sub(r'[\'"]?{{episode}}[\'"]?', _escape(episode), pp_command)
-    pp_command = re.sub(r'[\'"]?{{episode_name}}[\'"]?', _escape(os.path.splitext(os.path.basename(episode))[0]),
+    pp_command = re.sub(r'[\'"]?{{directory}}[\'"]?', _double_quotes(os.path.dirname(episode)), pp_command)
+    pp_command = re.sub(r'[\'"]?{{episode}}[\'"]?', _double_quotes(episode), pp_command)
+    pp_command = re.sub(r'[\'"]?{{episode_name}}[\'"]?', _double_quotes(os.path.splitext(os.path.basename(episode))[0]),
                         pp_command)
-    pp_command = re.sub(r'[\'"]?{{subtitles}}[\'"]?', _escape(str(subtitles)), pp_command)
-    pp_command = re.sub(r'[\'"]?{{subtitles_language}}[\'"]?',  _escape(str(language)), pp_command)
-    pp_command = re.sub(r'[\'"]?{{subtitles_language_code2}}[\'"]?', _escape(str(language_code2)), pp_command)
-    pp_command = re.sub(r'[\'"]?{{subtitles_language_code3}}[\'"]?', _escape(str(language_code3)), pp_command)
+    pp_command = re.sub(r'[\'"]?{{subtitles}}[\'"]?', _double_quotes(str(subtitles)), pp_command)
+    pp_command = re.sub(r'[\'"]?{{subtitles_language}}[\'"]?',  _double_quotes(str(language)), pp_command)
+    pp_command = re.sub(r'[\'"]?{{subtitles_language_code2}}[\'"]?', _double_quotes(str(language_code2)), pp_command)
+    pp_command = re.sub(r'[\'"]?{{subtitles_language_code3}}[\'"]?', _double_quotes(str(language_code3)), pp_command)
     pp_command = re.sub(r'[\'"]?{{subtitles_language_code2_dot}}[\'"]?',
-                        _escape(str(language_code2).replace(':', '.')), pp_command)
+                        _double_quotes(str(language_code2).replace(':', '.')), pp_command)
     pp_command = re.sub(r'[\'"]?{{subtitles_language_code3_dot}}[\'"]?',
-                        _escape(str(language_code3).replace(':', '.')), pp_command)
-    pp_command = re.sub(r'[\'"]?{{episode_language}}[\'"]?', _escape(str(episode_language)), pp_command)
-    pp_command = re.sub(r'[\'"]?{{episode_language_code2}}[\'"]?', _escape(str(episode_language_code2)), pp_command)
-    pp_command = re.sub(r'[\'"]?{{episode_language_code3}}[\'"]?', _escape(str(episode_language_code3)), pp_command)
-    pp_command = re.sub(r'[\'"]?{{score}}[\'"]?', _escape(str(score)), pp_command)
-    pp_command = re.sub(r'[\'"]?{{subtitle_id}}[\'"]?', _escape(str(subtitle_id)), pp_command)
-    pp_command = re.sub(r'[\'"]?{{provider}}[\'"]?', _escape(str(provider)), pp_command)
-    pp_command = re.sub(r'[\'"]?{{uploader}}[\'"]?', _escape(str(uploader)), pp_command)
-    pp_command = re.sub(r'[\'"]?{{release_info}}[\'"]?', _escape(str(release_info)), pp_command)
-    pp_command = re.sub(r'[\'"]?{{series_id}}[\'"]?', _escape(str(series_id)), pp_command)
-    pp_command = re.sub(r'[\'"]?{{episode_id}}[\'"]?', _escape(str(episode_id)), pp_command)
+                        _double_quotes(str(language_code3).replace(':', '.')), pp_command)
+    pp_command = re.sub(r'[\'"]?{{episode_language}}[\'"]?', _double_quotes(str(episode_language)), pp_command)
+    pp_command = re.sub(r'[\'"]?{{episode_language_code2}}[\'"]?', _double_quotes(str(episode_language_code2)), pp_command)
+    pp_command = re.sub(r'[\'"]?{{episode_language_code3}}[\'"]?', _double_quotes(str(episode_language_code3)), pp_command)
+    pp_command = re.sub(r'[\'"]?{{score}}[\'"]?', _double_quotes(str(score)), pp_command)
+    pp_command = re.sub(r'[\'"]?{{subtitle_id}}[\'"]?', _double_quotes(str(subtitle_id)), pp_command)
+    pp_command = re.sub(r'[\'"]?{{provider}}[\'"]?', _double_quotes(str(provider)), pp_command)
+    pp_command = re.sub(r'[\'"]?{{uploader}}[\'"]?', _double_quotes(str(uploader)), pp_command)
+    pp_command = re.sub(r'[\'"]?{{release_info}}[\'"]?', _double_quotes(str(release_info)), pp_command)
+    pp_command = re.sub(r'[\'"]?{{series_id}}[\'"]?', _double_quotes(str(series_id)), pp_command)
+    pp_command = re.sub(r'[\'"]?{{episode_id}}[\'"]?', _double_quotes(str(episode_id)), pp_command)
     return pp_command