From a610c8567e55516231d199b551e0e7e2dca70cbf Mon Sep 17 00:00:00 2001 From: Chocobo1 Date: Thu, 18 Jul 2019 22:36:40 +0800 Subject: [PATCH] Prevent command injection via "Run external program" function Closes #10925. --- src/app/application.cpp | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/app/application.cpp b/src/app/application.cpp index a124f2a3d..19b8823d2 100644 --- a/src/app/application.cpp +++ b/src/app/application.cpp @@ -335,7 +335,11 @@ void Application::runExternalProgram(const BitTorrent::TorrentHandle *torrent) c ::LocalFree(args); #else - QProcess::startDetached(QLatin1String("/bin/sh"), {QLatin1String("-c"), program}); + // Cannot give users shell environment by default, as doing so could + // enable command injection via torrent name and other arguments + // (especially when some automated download mechanism has been setup). + // See: https://github.com/qbittorrent/qBittorrent/issues/10925 + QProcess::startDetached(program); #endif }