From e272f878499491eba58d479b29e1106195bebd61 Mon Sep 17 00:00:00 2001
From: superboy-zjc <1826599908@qq.com>
Date: Thu, 21 Nov 2024 01:50:59 -0500
Subject: [PATCH] [patch] Patch remote OS command injection vulnerability

Former-commit-id: aa6a174d6822340022433c5ba38182b4932adecb
---
 src/llamafactory/webui/runner.py | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/src/llamafactory/webui/runner.py b/src/llamafactory/webui/runner.py
index 3dd80f6b..ec549cc4 100644
--- a/src/llamafactory/webui/runner.py
+++ b/src/llamafactory/webui/runner.py
@@ -320,7 +320,12 @@ class Runner:
             if args.get("deepspeed", None) is not None:
                 env["FORCE_TORCHRUN"] = "1"
 
-            self.trainer = Popen(f"llamafactory-cli train {save_cmd(args)}", env=env, shell=True)
+            cmd = [
+                "llamafactory-cli",
+                "train", 
+                *save_cmd(args).split(),
+            ]
+            self.trainer = Popen(cmd, env=env)
             yield from self.monitor()
 
     def _form_config_dict(self, data: Dict["Component", Any]) -> Dict[str, Any]: