Fix CVE-2024-0521 (#61032)

This uses shlex for safe command parsing to fix arbitrary code injection

Author: ndren

python/paddle/utils/download.py

@@ -15,6 +15,7 @@
 import hashlib
 import os
 import os.path as osp
+import shlex
 import shutil
 import subprocess
 import sys
@@ -204,7 +205,8 @@ def _wget_download(url: str, fullname: str):
             'https',
         ), 'Only support https and http url'
         # using wget to download url
-        tmp_fullname = fullname + "_tmp"
+        tmp_fullname = shlex.quote(fullname + "_tmp")
+        url = shlex.quote(url)
         # –user-agent
         command = f'wget -O {tmp_fullname} -t {DOWNLOAD_RETRY_LIMIT} {url}'
         subprc = subprocess.Popen(