Possible Remote Code Execution Vulnerability

[tch1bo]

Hey,

I noticed that code in line 162 of browser/views.py (

pybamview/pybamview/browser/views.py

Line 162 in 719c425

retcode = os.system(cmd)

) is vulnerable to Remote Code Execution (https://en.wikipedia.org/wiki/Arbitrary_code_execution). The user input flows from the filename field of the HTML form into the os.system() call. An attacker can provide input like "; some_other_command #" to execute arbitrary commands on your server.

I would suggest fixing this issue by e.g. replace os.system() with the subprocess.call() function from Python standard library.

Cheers!