blob: 2f938bd820ff734979f3cdba77e52aa63f679985 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
|
From a610c8567e55516231d199b551e0e7e2dca70cbf Mon Sep 17 00:00:00 2001
From: Chocobo1 <Chocobo1@users.noreply.github.com>
Date: Thu, 18 Jul 2019 22:36:40 +0800
Subject: [PATCH] Prevent command injection via "Run external program" function
Closes #10925.
---
src/app/application.cpp | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/src/app/application.cpp b/src/app/application.cpp
index a124f2a3d9..19b8823d22 100644
--- a/src/app/application.cpp
+++ b/src/app/application.cpp
@@ -335,7 +335,11 @@ void Application::runExternalProgram(const BitTorrent::TorrentHandle *torrent) c
::LocalFree(args);
#else
- QProcess::startDetached(QLatin1String("/bin/sh"), {QLatin1String("-c"), program});
+ // Cannot give users shell environment by default, as doing so could
+ // enable command injection via torrent name and other arguments
+ // (especially when some automated download mechanism has been setup).
+ // See: https://github.com/qbittorrent/qBittorrent/issues/10925
+ QProcess::startDetached(program);
#endif
}
|
