do not use os.system with user supplied data

data/tools/addon_manager/html.py

@@ -1,5 +1,6 @@
 # encoding: utf8
 import time, os, glob, sys
+from subprocess import Popen
 
 def output(path, url, data):
     try: os.mkdir(path)
@@ -51,7 +52,7 @@ Select the add-on you want to install from the list and click "OK". The download
     am_dir = os.path.dirname(__file__) + "/"
     for name in ["style.css", "jquery.js", "tablesorter.js",
         "asc.gif", "bg.gif", "desc.gif"]:
-        os.system("cp -u " + am_dir + name + " " + path)
+        Popen(["cp", "-u", am_dir + name, path])
 
     campaigns = data.get_or_create_sub("campaigns")
     w("<table class=\"tablesorter\" id=\"campaigns\">")
@@ -90,9 +91,8 @@ Select the add-on you want to install from the list and click "OK". The download
                     sys.stderr.write("Cannot find icon " + icon + "\n")
                     src = root_dir + "images/misc/missing-image.png"
                     imgurl = "icons/missing-image.png"
-            command = os.path.join(am_dir, "../unit_tree/TeamColorizer '"
-                + src + "' '" + path + "/" + imgurl + "'")
-            os.system(command)
+            Popen([os.path.join(am_dir, "../unit_tree/TeamColorizer"),
+                src, path + "/" + imgurl])
                 
         type = v("type", "none")
         size = float(v("size", "0"))

data/tools/unit_tree/TeamColorizer

@@ -8,7 +8,8 @@ Map the magenta team-color patches in the input image to red in the
 output image, copy the result to output.
 """
 
-import sys,os,getopt
+import sys,getopt
+from subprocess import Popen
 
 team_red=255
 team_green=0
@@ -62,9 +63,8 @@ for (red, green, blue) in flag_rgb:
 
     #    print "red: red\tgreen: green\tblue: blue\told_rgb\n"
     #    print "\tred: new_red\tgreen: new_green\tblue: new_blue\tnew_rgb\n"
-    convertor += " -fill \"#%02x%02x%02x\" -opaque \"#%02x%02x%02x\"" \
-                 % (new_red, new_green, new_blue,
-                    red, green, blue)
+    convertor += " -fill #%02x%02x%02x -opaque #%02x%02x%02x" \
+        % (new_red, new_green, new_blue, red, green, blue)
 
 
 if __name__ == '__main__':
@@ -89,10 +89,9 @@ if __name__ == '__main__':
     else:
         (infilename, outfilename) = arguments
 
-    convertor += " '" + infilename + "' '" + outfilename + "'"
     if verbose:
-        print convertor
+        print convertor + " '" + infilename + "' '" + outfilename + "'"
     if not dryrun:
-        os.system(convertor)
+        Popen(convertor.split() + [infilename, outfilename])
 
 # TeamColorizer ends here.

data/tools/unit_tree/helpers.py

@@ -2,6 +2,7 @@
 Various helpers for use by the wmlunits tool.
 """
 import sys, os, re, glob, shutil, copy, urllib2
+from subprocess import Popen
 
 import wesnoth.wmldata as wmldata
 import wesnoth.wmlparser as wmlparser
@@ -129,9 +130,8 @@ class ImageCollector:
                 # We assume TeamColorizer is in the same directory as the
                 # helpers.py currently executing.
                 command = os.path.join(os.path.dirname(__file__),
-                    "TeamColorizer") + " '%s' '%s'" % (
-                    ipath, opath)
-                os.system(command)
+                    "TeamColorizer")
+                Popen([command, ipath, opath])
             else:
                 sys.stderr.write(
                     "Warning: Required image %s: \"%s\" does not exist.\n" % (c, i))

data/tools/wesnoth_addon_manager

@@ -147,8 +147,7 @@ if __name__ == "__main__":
                 if options.verbose:
                     sys.stderr.write("Creating tarball %(tarname)s.\n" %
                         locals())
-                os.system("tar cjf %(tarname)s -C %(cdir)s %(name)s %(oldcfg)s" %
-                    locals())
+                Popen(["tar", "cjf", tarname, "-C", cdir, name, oldcfg])
 
     def get_info(name):
         """