mirror/qBittorrent
2
0
Fork 0
mirror of https://github.com/qbittorrent/qBittorrent.git synced 2024-12-27 08:19:30 +08:00
Code Issues Packages Projects Releases Wiki Activity

Prevent command injection via "Run external program" function

Browse Source 
Closes #10925.
This commit is contained in:
Chocobo1 2019-07-18 22:36:40 +08:00
parent 7f3291c3de
commit a610c8567e
No known key found for this signature in database
GPG Key ID: 210D9C873253A68C
1 changed files with 5 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
src/app/application.cpp
View File

@ -335,7 +335,11 @@ void Application::runExternalProgram(const BitTorrent::TorrentHandle *torrent) c
::LocalFree(args); ::LocalFree(args);
#else #else
QProcess::startDetached(QLatin1String("/bin/sh"), {QLatin1String("-c"), program}); // Cannot give users shell environment by default, as doing so could
// enable command injection via torrent name and other arguments
// (especially when some automated download mechanism has been setup).
// See: https://github.com/qbittorrent/qBittorrent/issues/10925
QProcess::startDetached(program);
#endif #endif
} }