From 06f296289eefaa9aa44fca92ff7cd6bbe67122f8 Mon Sep 17 00:00:00 2001
From: Softer <sft.nik@gmail.com>
Date: Sat, 18 Apr 2026 12:00:01 +0300
Subject: [PATCH] Fix shell injection in user_set_shell and chown

Use argv list with run() instead of sh -c with f-string interpolation,
fix mutable default argument in chown, add debug logging on failure.
---
 archinstall/lib/installer.py | 16 ++++++++++------
 1 file changed, 10 insertions(+), 6 deletions(-)

diff --git a/archinstall/lib/installer.py b/archinstall/lib/installer.py
index 9f8c51b2bd..973e80ac1a 100644
--- a/archinstall/lib/installer.py
+++ b/archinstall/lib/installer.py
@@ -1964,18 +1964,22 @@ def set_user_password(self, user: User) -> bool:
 	def user_set_shell(self, user: str, shell: str) -> bool:
 		info(f'Setting shell for {user} to {shell}')
 
+		cmd = ['arch-chroot', '-S', str(self.target), 'chsh', '-s', shell, user]
 		try:
-			self.arch_chroot(f'sh -c "chsh -s {shell} {user}"')
+			run(cmd)
 			return True
-		except SysCallError:
+		except CalledProcessError as err:
+			debug(f'Error setting user shell: {err}')
 			return False
 
-	def chown(self, owner: str, path: str, options: list[str] = []) -> bool:
-		cleaned_path = path.replace("'", "\\'")
+	def chown(self, owner: str, path: str, options: list[str] | None = None) -> bool:
+		options = options or []
+		cmd = ['arch-chroot', '-S', str(self.target), 'chown', *options, owner, path]
 		try:
-			self.arch_chroot(f"sh -c 'chown {' '.join(options)} {owner} {cleaned_path}'")
+			run(cmd)
 			return True
-		except SysCallError:
+		except CalledProcessError as err:
+			debug(f'Error changing ownership of {path}: {err}')
 			return False
 
 	def set_vconsole(self, locale_config: LocaleConfiguration) -> None: