New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OS command injection on windows when opening urls #323
Labels
Comments
From the readme:
It's almost impossible to make it entirely secure. That being said, I'm happy to merge pull requests to improve the escaping logic. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
it is possible to run os commands when opening urls, eg:
opens the default browser, but als runs
calc.exe
expected
the url argument should be sufficiently escaped when invoking powershell so that this vulnerability cannot be exploited.
The text was updated successfully, but these errors were encountered: