Merge commit from fork

[patch] Patch remote OS command injection vulnerability
hiyouga · Nov 21, 2024 · b3aa80d · b3aa80d
2 parents c8f1998 + d20b97e
commit b3aa80d
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/src/llamafactory/webui/runner.py b/src/llamafactory/webui/runner.py
@@ -320,7 +320,7 @@ def _launch(self, data: Dict["Component", Any], do_train: bool) -> Generator[Dic
             if args.get("deepspeed", None) is not None:
                 env["FORCE_TORCHRUN"] = "1"
 
-            self.trainer = Popen(f"llamafactory-cli train {save_cmd(args)}", env=env, shell=True)
+            self.trainer = Popen(["llamafactory-cli", "train", save_cmd(args)], env=env)
             yield from self.monitor()
 
     def _form_config_dict(self, data: Dict["Component", Any]) -> Dict[str, Any]: