Merge pull request #2344 from Jacalz/os/execabs

Switch to golang.org/x/sys/execabs for windows security fix

app/app.go

@@ -4,7 +4,6 @@
 package app // import "fyne.io/fyne/v2/app"
 
 import (
-	"os/exec"
 	"strconv"
 	"sync"
 	"time"
@@ -14,6 +13,8 @@ import (
 	"fyne.io/fyne/v2/internal/app"
 	intRepo "fyne.io/fyne/v2/internal/repository"
 	"fyne.io/fyne/v2/storage/repository"
+
+	"golang.org/x/sys/execabs"
 )
 
 // Declare conformity with App interface
@@ -31,7 +32,7 @@ type fyneApp struct {
 
 	running  bool
 	runMutex sync.Mutex
-	exec     func(name string, arg ...string) *exec.Cmd
+	exec     func(name string, arg ...string) *execabs.Cmd
 }
 
 func (a *fyneApp) Icon() fyne.Resource {
@@ -111,7 +112,7 @@ func New() fyne.App {
 }
 
 func newAppWithDriver(d fyne.Driver, id string) fyne.App {
-	newApp := &fyneApp{uniqueID: id, driver: d, exec: exec.Command, lifecycle: &app.Lifecycle{}}
+	newApp := &fyneApp{uniqueID: id, driver: d, exec: execabs.Command, lifecycle: &app.Lifecycle{}}
 	fyne.SetCurrentApp(newApp)
 
 	newApp.prefs = newPreferences(newApp)

app/app_darwin.go

@@ -20,13 +20,14 @@ import (
 	"fmt"
 	"net/url"
 	"os"
-	"os/exec"
 	"path/filepath"
 	"strings"
 	"unsafe"
 
 	"fyne.io/fyne/v2"
 	"fyne.io/fyne/v2/theme"
+
+	"golang.org/x/sys/execabs"
 )
 
 func defaultVariant() fyne.ThemeVariant {
@@ -65,7 +66,7 @@ func (a *fyneApp) SendNotification(n *fyne.Notification) {
 	template := `display notification "%s" with title "%s"`
 	script := fmt.Sprintf(template, content, title)
 
-	err := exec.Command("osascript", "-e", script).Start()
+	err := execabs.Command("osascript", "-e", script).Start()
 	if err != nil {
 		fyne.LogError("Failed to launch darwin notify script", err)
 	}

app/app_test.go

@@ -2,13 +2,14 @@ package app
 
 import (
 	"net/url"
-	"os/exec"
 	"strings"
 	"testing"
 
 	"fyne.io/fyne/v2"
 	_ "fyne.io/fyne/v2/test"
 	"github.com/stretchr/testify/assert"
+
+	"golang.org/x/sys/execabs"
 )
 
 func TestDummyApp(t *testing.T) {
@@ -33,9 +34,9 @@ func TestFyneApp_UniqueID(t *testing.T) {
 func TestFyneApp_OpenURL(t *testing.T) {
 	opened := ""
 	app := NewWithID("io.fyne.test")
-	app.(*fyneApp).exec = func(cmd string, arg ...string) *exec.Cmd {
+	app.(*fyneApp).exec = func(cmd string, arg ...string) *execabs.Cmd {
 		opened = arg[len(arg)-1]
-		return exec.Command("")
+		return execabs.Command("")
 	}
 
 	urlStr := "https://fyne.io"

app/app_windows.go

@@ -9,7 +9,6 @@ import (
 	"io/ioutil"
 	"net/url"
 	"os"
-	"os/exec"
 	"path/filepath"
 	"strings"
 	"syscall"
@@ -18,6 +17,8 @@ import (
 
 	"fyne.io/fyne/v2"
 	"fyne.io/fyne/v2/theme"
+
+	"golang.org/x/sys/execabs"
 )
 
 const notificationTemplate = `$title = "%s"
@@ -102,7 +103,7 @@ func runScript(name, script string) {
 	defer os.Remove(tmpFilePath)
 
 	launch := "(Get-Content -Encoding UTF8 -Path " + tmpFilePath + " -Raw) | Invoke-Expression"
-	cmd := exec.Command("PowerShell", "-ExecutionPolicy", "Bypass", launch)
+	cmd := execabs.Command("PowerShell", "-ExecutionPolicy", "Bypass", launch)
 	cmd.SysProcAttr = &syscall.SysProcAttr{HideWindow: true}
 	err = cmd.Run()
 	if err != nil {

cmd/fyne/internal/commands/build.go

@@ -3,9 +3,10 @@ package commands
 import (
 	"fmt"
 	"os"
-	"os/exec"
 	"runtime"
 	"strings"
+
+	"golang.org/x/sys/execabs"
 )
 
 type builder struct {
@@ -45,7 +46,7 @@ func (b *builder) build() error {
 		args = append(args, "-tags", strings.Join(tags, ","))
 	}
 
-	cmd := exec.Command("go", args...)
+	cmd := execabs.Command("go", args...)
 	cmd.Dir = b.srcdir
 	if goos != "ios" && goos != "android" {
 		env = append(env, "GOOS="+goos)

cmd/fyne/internal/commands/deprecated.go

@@ -2,9 +2,9 @@ package commands
 
 import (
 	"os"
-	"os/exec"
 
 	"github.com/urfave/cli/v2"
+	"golang.org/x/sys/execabs"
 )
 
 // Vendor returns the vendor cli command.
@@ -15,7 +15,7 @@ func Vendor() *cli.Command {
 		Name:  "vendor",
 		Usage: "Deprecated: Use \"go mod vendor\" instead.",
 		Action: func(_ *cli.Context) error {
-			cmd := exec.Command("go", "mod", "vendor")
+			cmd := execabs.Command("go", "mod", "vendor")
 			cmd.Stdout, cmd.Stderr = os.Stdout, os.Stderr
 			return cmd.Run()
 		},

cmd/fyne/internal/commands/get.go

@@ -4,13 +4,13 @@ import (
 	"flag"
 	"fmt"
 	"os"
-	"os/exec"
 	"path/filepath"
 	"strings"
 
 	"fyne.io/fyne/v2/cmd/fyne/internal/util"
 	"github.com/pkg/errors"
 	"github.com/urfave/cli/v2"
+	"golang.org/x/sys/execabs"
 )
 
 // Get returns the command which downloads and installs fyne applications.
@@ -58,7 +58,7 @@ func NewGetter() *Getter {
 
 // Get automates the download and install of a named GUI app package.
 func (g *Getter) Get(pkg string) error {
-	cmd := exec.Command("go", "get", "-u", "-d", pkg)
+	cmd := execabs.Command("go", "get", "-u", "-d", pkg)
 	cmd.Env = append(os.Environ(), "GO111MODULE=off") // cache the downloaded code
 	cmd.Stdout, cmd.Stderr = os.Stdout, os.Stderr
 
@@ -124,7 +124,7 @@ func (g *Getter) Run(args []string) {
 }
 
 func goPath() string {
-	cmd := exec.Command("go", "env", "GOPATH")
+	cmd := execabs.Command("go", "env", "GOPATH")
 	out, err := cmd.CombinedOutput()
 
 	if err != nil {

cmd/fyne/internal/commands/install.go

@@ -5,14 +5,14 @@ import (
 	"flag"
 	"fmt"
 	"os"
-	"os/exec"
 	"path/filepath"
 	"strings"
 
 	"fyne.io/fyne/v2"
 	"fyne.io/fyne/v2/cmd/fyne/internal/mobile"
 
 	"github.com/urfave/cli/v2"
+	"golang.org/x/sys/execabs"
 )
 
 // Install returns the cli command for installing fyne applications
@@ -195,12 +195,12 @@ func (i *Installer) installIOS() error {
 }
 
 func (i *Installer) runMobileInstall(tool, target string, args ...string) error {
-	_, err := exec.LookPath(tool)
+	_, err := execabs.LookPath(tool)
 	if err != nil {
 		return err
 	}
 
-	cmd := exec.Command(tool, append(args, target)...)
+	cmd := execabs.Command(tool, append(args, target)...)
 	cmd.Stderr = os.Stderr
 	cmd.Stdout = os.Stdout
 	return cmd.Run()

cmd/fyne/internal/commands/package-mobile.go

@@ -3,7 +3,6 @@ package commands
 import (
 	"io/ioutil"
 	"os"
-	"os/exec"
 	"path/filepath"
 	"strconv"
 
@@ -12,6 +11,7 @@ import (
 	"fyne.io/fyne/v2/cmd/fyne/internal/templates"
 	"fyne.io/fyne/v2/cmd/fyne/internal/util"
 	"github.com/pkg/errors"
+	"golang.org/x/sys/execabs"
 )
 
 func (p *Packager) packageAndroid(arch string) error {
@@ -61,7 +61,7 @@ func (p *Packager) packageIOS() error {
 	}
 
 	appDir := filepath.Join(p.dir, mobile.AppOutputName(p.os, p.name))
-	cmd := exec.Command("xcrun", "actool", "Images.xcassets", "--compile", appDir, "--platform",
+	cmd := execabs.Command("xcrun", "actool", "Images.xcassets", "--compile", appDir, "--platform",
 		"iphoneos", "--target-device", "iphone", "--minimum-deployment-target", "9.0", "--app-icon", "AppIcon",
 		"--output-partial-info-plist", "/dev/null")
 	return cmd.Run()
@@ -70,5 +70,5 @@ func (p *Packager) packageIOS() error {
 func copyResizeIcon(size int, dir, source string) error {
 	strSize := strconv.Itoa(size)
 	path := dir + "/Icon_" + strSize + ".png"
-	return exec.Command("sips", "-o", path, "-Z", strSize, source).Run()
+	return execabs.Command("sips", "-o", path, "-Z", strSize, source).Run()
 }

cmd/fyne/internal/commands/package-unix.go

@@ -2,12 +2,13 @@ package commands
 
 import (
 	"os"
-	"os/exec"
 	"path/filepath"
 
 	"fyne.io/fyne/v2/cmd/fyne/internal/templates"
 	"fyne.io/fyne/v2/cmd/fyne/internal/util"
 	"github.com/pkg/errors"
+
+	"golang.org/x/sys/execabs"
 )
 
 type unixData struct {
@@ -66,7 +67,7 @@ func (p *Packager) packageUNIX() error {
 			return errors.Wrap(err, "Failed to write Makefile string")
 		}
 
-		tarCmd := exec.Command("tar", "-Jcf", p.name+".tar.xz", "-C", tempDir, "usr", "Makefile")
+		tarCmd := execabs.Command("tar", "-Jcf", p.name+".tar.xz", "-C", tempDir, "usr", "Makefile")
 		if err = tarCmd.Run(); err != nil {
 			return errors.Wrap(err, "Failed to create archive with tar")
 		}

cmd/fyne/internal/commands/package-windows.go

@@ -4,7 +4,6 @@ import (
 	"image"
 	"io/ioutil"
 	"os"
-	"os/exec"
 	"path/filepath"
 	"runtime"
 	"strings"
@@ -15,6 +14,7 @@ import (
 	"github.com/pkg/errors"
 	"golang.org/x/mod/modfile"
 	"golang.org/x/mod/module"
+	"golang.org/x/sys/execabs"
 )
 
 type windowsData struct {
@@ -144,5 +144,5 @@ func runAsAdminWindows(args ...string) error {
 		cmd += ",\"" + arg + "\""
 	}
 
-	return exec.Command("powershell.exe", "Start-Process", "cmd.exe", "-Verb", "runAs", "-ArgumentList", cmd).Run()
+	return execabs.Command("powershell.exe", "Start-Process", "cmd.exe", "-Verb", "runAs", "-ArgumentList", cmd).Run()
 }