From a610c8567e55516231d199b551e0e7e2dca70cbf Mon Sep 17 00:00:00 2001
From: Chocobo1 <Chocobo1@users.noreply.github.com>
Date: Thu, 18 Jul 2019 22:36:40 +0800
Subject: [PATCH] Prevent command injection via "Run external program" function

Closes #10925.
---
 src/app/application.cpp | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/app/application.cpp b/src/app/application.cpp
index a124f2a3d98..19b8823d225 100644
--- a/src/app/application.cpp
+++ b/src/app/application.cpp
@@ -335,7 +335,11 @@ void Application::runExternalProgram(const BitTorrent::TorrentHandle *torrent) c
 
     ::LocalFree(args);
 #else
-    QProcess::startDetached(QLatin1String("/bin/sh"), {QLatin1String("-c"), program});
+    // Cannot give users shell environment by default, as doing so could
+    // enable command injection via torrent name and other arguments
+    // (especially when some automated download mechanism has been setup).
+    // See: https://github.com/qbittorrent/qBittorrent/issues/10925
+    QProcess::startDetached(program);
 #endif
 }