Description
Please provide the following information
qBittorrent version and Operating System
4.1.5 FreeBSD, but seeing the source code, probably all versions
What is the problem
The function Application::runExternalProgram() located in qBittorrent/src/app/application.cpp does not sanitize the name of the torrent and other parameters before passing them as a command line arguments. Right now it does a simple text substitution, which is vulnerable to command injection.
What is the expected behavior
The parameters are sanitized before being passed to the command line. This means something like PHP's escapeshellarg.
Steps to reproduce
-
Configure qBitTorrent to run an external script in Preferences - Downloads. Anything is valid. You can even quote the arguments. For example:
/home/user/notify.sh "%N" "%L" %C %Z -
Create a new torrent with the following command:
mktorrent -n 'Name"; firefox ; "' -o exploit.torrent SourceDir
To test it locally with already created content, without needing to upload your torrent to a public tracker, create a directory named 'Name"; firefox ; "' (without the first and last quotes) that has the same values as the previous command's SourceDir. This will re-hash the content and mark it as completed, executing the script. You can use midnight commander to do this. -
When the torrent download finishes, Firefox is opened
Greetings