d4708
/
qBittorrent
mirror of https://github.com/d47081/qBittorrent.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

Prevent command injection via "Run external program" function 

Closes #10925.
adaptive-webui-19844
Chocobo1 5 years ago
parent
7f3291c3de
commit
a610c8567e
No known key found for this signature in database
GPG Key ID: 210D9C873253A68C
1 changed files with 5 additions and 1 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 6
      src/app/application.cpp

6
src/app/application.cpp
Unescape View File

@ -335,7 +335,11 @@ void Application::runExternalProgram(const BitTorrent::TorrentHandle *torrent) c @@ -335,7 +335,11 @@ void Application::runExternalProgram(const BitTorrent::TorrentHandle *torrent) c
::LocalFree(args);
#else
QProcess::startDetached(QLatin1String("/bin/sh"), {QLatin1String("-c"), program});
// Cannot give users shell environment by default, as doing so could
// enable command injection via torrent name and other arguments
// (especially when some automated download mechanism has been setup).
// See: https://github.com/qbittorrent/qBittorrent/issues/10925
QProcess::startDetached(program);
#endif
}

Write Preview
Loading…
Cancel
Save