[patch] Patch remote OS command injection vulnerability

Author: superboy-zjc

src/llamafactory/webui/runner.py

@@ -320,7 +320,12 @@ def _launch(self, data: Dict["Component", Any], do_train: bool) -> Generator[Dic
             if args.get("deepspeed", None) is not None:
                 env["FORCE_TORCHRUN"] = "1"
 
-            self.trainer = Popen(f"llamafactory-cli train {save_cmd(args)}", env=env, shell=True)
+            cmd = [
+                "llamafactory-cli",
+                "train", 
+                *save_cmd(args).split(),
+            ]
+            self.trainer = Popen(cmd, env=env)
             yield from self.monitor()
 
     def _form_config_dict(self, data: Dict["Component", Any]) -> Dict[str, Any]: