From aa6a174d6822340022433c5ba38182b4932adecb Mon Sep 17 00:00:00 2001 From: superboy-zjc <1826599908@qq.com> Date: Thu, 21 Nov 2024 01:50:59 -0500 Subject: [PATCH 1/2] [patch] Patch remote OS command injection vulnerability --- src/llamafactory/webui/runner.py | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/src/llamafactory/webui/runner.py b/src/llamafactory/webui/runner.py index 3dd80f6b7a..ec549cc4b8 100644 --- a/src/llamafactory/webui/runner.py +++ b/src/llamafactory/webui/runner.py @@ -320,7 +320,12 @@ def _launch(self, data: Dict["Component", Any], do_train: bool) -> Generator[Dic if args.get("deepspeed", None) is not None: env["FORCE_TORCHRUN"] = "1" - self.trainer = Popen(f"llamafactory-cli train {save_cmd(args)}", env=env, shell=True) + cmd = [ + "llamafactory-cli", + "train", + *save_cmd(args).split(), + ] + self.trainer = Popen(cmd, env=env) yield from self.monitor() def _form_config_dict(self, data: Dict["Component", Any]) -> Dict[str, Any]: From d20b97e7e9514e68c33d0428512fd21b548c1131 Mon Sep 17 00:00:00 2001 From: hoshi-hiyouga Date: Thu, 21 Nov 2024 22:30:23 +0800 Subject: [PATCH 2/2] do not split save_cmd ret value --- src/llamafactory/webui/runner.py | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/src/llamafactory/webui/runner.py b/src/llamafactory/webui/runner.py index ec549cc4b8..e32035a399 100644 --- a/src/llamafactory/webui/runner.py +++ b/src/llamafactory/webui/runner.py @@ -320,12 +320,7 @@ def _launch(self, data: Dict["Component", Any], do_train: bool) -> Generator[Dic if args.get("deepspeed", None) is not None: env["FORCE_TORCHRUN"] = "1" - cmd = [ - "llamafactory-cli", - "train", - *save_cmd(args).split(), - ] - self.trainer = Popen(cmd, env=env) + self.trainer = Popen(["llamafactory-cli", "train", save_cmd(args)], env=env) yield from self.monitor() def _form_config_dict(self, data: Dict["Component", Any]) -> Dict[str, Any]: