okseby/orchard
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge pull request #1742 from maple3142/fix-command-injection

Browse source 
Fix command injection in link handler
This commit is contained in:
Hudson Curren 2023-07-02 13:31:41 +12:00 committed by GitHub
commit 58a2eefcda
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 2 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

4
src/main/base/app.ts
View file

@ -173,7 +173,7 @@ export class AppEvents {
console.log("token: ", authURI.split("lastfm?token=")[1]); console.log("token: ", authURI.split("lastfm?token=")[1]);
utils utils
.getWindow() .getWindow()
.webContents.executeJavaScript(`ipcRenderer.send('lastfm:auth', "${authURI.split("lastfm?token=")[1]}")`) .webContents.executeJavaScript(`ipcRenderer.send('lastfm:auth', ${JSON.stringify(authURI.split("lastfm?token=")[1])})`)
.catch(console.error); .catch(console.error);
} }
} else if (arg.includes("playpause")) { } else if (arg.includes("playpause")) {
@ -220,7 +220,7 @@ export class AppEvents {
} else if (arg.includes("/beep")) { } else if (arg.includes("/beep")) {
shell.beep(); shell.beep();
} else { } else {
utils.getWindow().webContents.executeJavaScript(`app.appRoute('${arg.split("//")[1]}')`); utils.getWindow().webContents.executeJavaScript(`app.appRoute(${JSON.stringify(arg.split("//")[1])})`);
} }
} }