fix(security): 2 improvements across 2 files#424
Conversation
- Security: Potential Command Injection via Browser Path Configuration - Security: Unsafe Dynamic Module Loading in Plugin Manager Signed-off-by: tomaioo <203048277+tomaioo@users.noreply.github.com>
- Security: Potential Command Injection via Browser Path Configuration - Security: Unsafe Dynamic Module Loading in Plugin Manager Signed-off-by: tomaioo <203048277+tomaioo@users.noreply.github.com>
|
Changing the Qgis2threejs Furthermore, this browser path setting is a legacy feature from early versions of Qgis2threejs, originally intended to open exported web pages locally. The upcoming version uses ES modules, which modern browsers block when loaded via the Since a local HTTP server is now required to view exported pages and this setting has become obsolete, I will remove the browser path configuration rather than patch it. |
Summary
fix(security): 2 improvements across 2 files
Problem
Severity:
Medium| File:utils/gui.py:L28In
utils/gui.py, theopenUrlfunction usesQProcess.startDetachedwith a user-configured browser path and a URL. WhileQProcess.startDetachedwith a list argument is generally safer than string concatenation, the browser path comes from user settings (/Qgis2threejs/browser) without validation. A malicious or malformed browser path could potentially lead to command execution if the path contains shell metacharacters or if the implementation doesn't properly handle the path. Additionally, the URL is passed as a string argument which could be manipulated.Solution
Validate and sanitize the browserPath before use. Use
shlex.quote()or similar to escape the browser path. Consider usingQProcesswith explicit program and arguments rather than relying on shell parsing. Verify the browser path points to an actual executable file.Changes
utils/gui.py(modified)core/plugin/pluginmanager.py(modified)