OS command injection on windows when opening urls #323

tripodsan posted onGitHub

it is possible to run os commands when opening urls, eg:

open('https://$(calc.exe)')

opens the default browser, but als runs calc.exe

the url argument should be sufficiently escaped when invoking powershell so that this vulnerability cannot be exploited.

From the readme:

This package does not make any security guarantees. If you pass in untrusted input, it's up to you to properly sanitize it.

It's almost impossible to make it entirely secure. That being said, I'm happy to merge pull requests to improve the escaping logic.

posted by sindresorhus over 1 year ago

Fund this Issue

$0.00

Funded

Only logged in users can fund an issue

Pull requests