d4708/qBittorrent
1
0
Fork 0
mirror of https://github.com/d47081/qBittorrent.git synced 2025-02-09 21:34:20 +00:00
Code Issues Projects Releases Wiki Activity

Migrate away from unsafe function

Browse Source 
MooTools More has CVE-2021-20088 and qbt is affected by it by using the
unsafe function call `String.parseQueryString()`, so migrate away from
it.

PR #18554.
This commit is contained in:
Chocobo1 2023-02-15 13:59:21 +08:00 committed by GitHub
parent 3fea9f5a33
commit 6a4bb5c1b7
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 4 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
src/webui/www/private/scripts/client.js
View File

@ -1387,11 +1387,11 @@ function registerMagnetHandler() {
return; return;
} }
const hashParams = getHashParamsFromUrl(); const hashString = location.hash ? location.hash.replace(/^#/, '') : '';
hashParams.download = ''; const hashParams = new URLSearchParams(hashString);
hashParams.set('download', '');
const templateHashString = Object.toQueryString(hashParams).replace('download=', 'download=%s');
const templateHashString = hashParams.toString().replace('download=', 'download=%s');
const templateUrl = location.origin + location.pathname const templateUrl = location.origin + location.pathname
+ location.search + '#' + templateHashString; + location.search + '#' + templateHashString;
@ -1411,11 +1411,6 @@ function handleDownloadParam() {
showDownloadPage([url]); showDownloadPage([url]);
} }
function getHashParamsFromUrl() {
const hashString = location.hash ? location.hash.replace(/^#/, '') : '';
return (hashString.length > 0) ? String.parseQueryString(hashString) : {};
}
function closeWindows() { function closeWindows() {
MochaUI.closeAll(); MochaUI.closeAll();
} }