OS command injection on windows when opening urls
it is possible to run os commands when opening urls, eg:
open('https://$(calc.exe)')
opens the default browser, but als runs calc.exe
expected
the url argument should be sufficiently escaped when invoking powershell so that this vulnerability cannot be exploited.
sindresorhus / open
Open stuff like URLs, files, executables. Cross-platform.
3.2k
How does funding with Polar work?
1
Pay now to fund the work behind this issue.
2
Get updates on progress being made.
3
Maintainer is rewarded once the issue is completed.
FAQ
Backer
You're funding impactful open source efforts
Contributor
You want to contribute to this effort
Maintainer
You want to get funding like this too