mirror of
https://github.com/qbittorrent/qBittorrent.git
synced 2024-12-27 08:19:30 +08:00
Prevent command injection via "Run external program" function
Closes #10925.
This commit is contained in:
parent
7f3291c3de
commit
a610c8567e
@ -335,7 +335,11 @@ void Application::runExternalProgram(const BitTorrent::TorrentHandle *torrent) c
|
||||
|
||||
::LocalFree(args);
|
||||
#else
|
||||
QProcess::startDetached(QLatin1String("/bin/sh"), {QLatin1String("-c"), program});
|
||||
// Cannot give users shell environment by default, as doing so could
|
||||
// enable command injection via torrent name and other arguments
|
||||
// (especially when some automated download mechanism has been setup).
|
||||
// See: https://github.com/qbittorrent/qBittorrent/issues/10925
|
||||
QProcess::startDetached(program);
|
||||
#endif
|
||||
}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user