Sindre Sorhus/os-locale

os-locale calls wmic with no extension and without explicit path

6 years ago

👍

Our Windows app that uses os-locale has been flagged as a security risk because it will launch any file named "wmic", regardless of extension, and the file can be anywhere on the PATH, including the app's own directory. It could be a vbs file, for example.

The suggested secure way (if you have to use wmic):

Always use the exe extension.
Always use the full standard path to wmic.exe.

sindresorhus / os-locale

Get the system locale

225

How does funding with Polar work?

Pay now to fund the work behind this issue.

Get updates on progress being made.

Maintainer is rewarded once the issue is completed.

FAQ

Backer

You're funding impactful open source efforts

Contributor

You want to contribute to this effort

Maintainer

You want to get funding like this too

Sindre Sorhus/os-locale

os-locale calls wmic with no extension and without explicit path

How does funding with Polar work?

Backer

Why does "Fund on completion" require GitHub login?

When is the invoice due for "Fund on completion"?

What happens if the issue is never completed?

Do I get any extra benefits by funding?

Do I get progress updates?

Contributor

Do I get a reward?

Is rewards guaranteed?

Maintainer

How can I get funding like this for my open source initiatives?