Skip to content
Permalink
Browse files Browse the repository at this point in the history
Proper URL quoting to avoid shell injection
  • Loading branch information
themoken committed Oct 17, 2014
1 parent 2d87b4a commit 2817869
Showing 1 changed file with 5 additions and 0 deletions.
5 changes: 5 additions & 0 deletions canto_curses/guibase.py
Expand Up @@ -156,6 +156,11 @@ def _fork(self, path, href, text, fetch=False):

href = tmpnam

# Make sure that we quote href such that malicious URLs like
# "http://example.com & rm -rf ~/" won't be interpreted by the shell.

href = shlex.quote(href)

# A lot of programs don't appreciate
# having their fds closed, so instead
# we dup them to /dev/null.
Expand Down

0 comments on commit 2817869

Please sign in to comment.