From f18c73049123dc6a5f6bd0d096744d7795bfe1c0 Mon Sep 17 00:00:00 2001
From: sliptonic <shopinthewoods@gmail.com>
Date: Wed, 29 Dec 2021 10:28:51 -0600
Subject: [PATCH 1/3] fix #4810

use subprocess.Popen() to avoid executing arbitrary code
---
 src/Mod/Path/PathScripts/PathSanity.py | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/Mod/Path/PathScripts/PathSanity.py b/src/Mod/Path/PathScripts/PathSanity.py
index 4b8ee5218b..6c5e0ac3f4 100644
--- a/src/Mod/Path/PathScripts/PathSanity.py
+++ b/src/Mod/Path/PathScripts/PathSanity.py
@@ -40,6 +40,7 @@ from collections import Counter
 from datetime import datetime
 import os
 import webbrowser
+import subprocess
 
 # Qt translation handling
 
@@ -464,7 +465,9 @@ class CommandPathSanity:
             )
 
         try:
-            result = os.system("asciidoctor {} -o {}".format(reportraw, reporthtml))
+            result = subprocess.Popen(
+                "asciidoctor {} -o {}".format(reportraw, reporthtml)
+            )
             if str(result) == "32512":
                 msg = "asciidoctor not found. html cannot be generated."
                 QtGui.QMessageBox.information(None, "Path Sanity", msg)

From ca950cf54a69c3f7527db9511e9726a5a1834b81 Mon Sep 17 00:00:00 2001
From: sliptonic <shopinthewoods@gmail.com>
Date: Thu, 30 Dec 2021 16:58:45 -0600
Subject: [PATCH 2/3] use subprocess.Popen() the right way

---
 src/Mod/Path/PathScripts/PathSanity.py | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/src/Mod/Path/PathScripts/PathSanity.py b/src/Mod/Path/PathScripts/PathSanity.py
index 6c5e0ac3f4..0e48f247ef 100644
--- a/src/Mod/Path/PathScripts/PathSanity.py
+++ b/src/Mod/Path/PathScripts/PathSanity.py
@@ -465,9 +465,7 @@ class CommandPathSanity:
             )
 
         try:
-            result = subprocess.Popen(
-                "asciidoctor {} -o {}".format(reportraw, reporthtml)
-            )
+            result = subprocess.Popen(["asciidoctor", reportraw, "-o", reporthtml])
             if str(result) == "32512":
                 msg = "asciidoctor not found. html cannot be generated."
                 QtGui.QMessageBox.information(None, "Path Sanity", msg)

From a65dbc6f8296562a12407a36f4931a80bbb628b7 Mon Sep 17 00:00:00 2001
From: sliptonic <shopinthewoods@gmail.com>
Date: Fri, 31 Dec 2021 10:04:17 -0600
Subject: [PATCH 3/3] Use run() instead of Popen() to avoid need for
 communicate() call.

---
 src/Mod/Path/PathScripts/PathSanity.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/Mod/Path/PathScripts/PathSanity.py b/src/Mod/Path/PathScripts/PathSanity.py
index 0e48f247ef..cfc46f4149 100644
--- a/src/Mod/Path/PathScripts/PathSanity.py
+++ b/src/Mod/Path/PathScripts/PathSanity.py
@@ -465,7 +465,7 @@ class CommandPathSanity:
             )
 
         try:
-            result = subprocess.Popen(["asciidoctor", reportraw, "-o", reporthtml])
+            result = subprocess.run(["asciidoctor", reportraw, "-o", reporthtml])
             if str(result) == "32512":
                 msg = "asciidoctor not found. html cannot be generated."
                 QtGui.QMessageBox.information(None, "Path Sanity", msg)