Skip to content

fix(security): 2 improvements across 2 files#424

Open
tomaioo wants to merge 2 commits into
minorua:masterfrom
tomaioo:fix/security/potential-command-injection-via-browser-
Open

fix(security): 2 improvements across 2 files#424
tomaioo wants to merge 2 commits into
minorua:masterfrom
tomaioo:fix/security/potential-command-injection-via-browser-

Conversation

@tomaioo

@tomaioo tomaioo commented Jun 30, 2026

Copy link
Copy Markdown

Summary

fix(security): 2 improvements across 2 files

Problem

Severity: Medium | File: utils/gui.py:L28

In utils/gui.py, the openUrl function uses QProcess.startDetached with a user-configured browser path and a URL. While QProcess.startDetached with a list argument is generally safer than string concatenation, the browser path comes from user settings (/Qgis2threejs/browser) without validation. A malicious or malformed browser path could potentially lead to command execution if the path contains shell metacharacters or if the implementation doesn't properly handle the path. Additionally, the URL is passed as a string argument which could be manipulated.

Solution

Validate and sanitize the browserPath before use. Use shlex.quote() or similar to escape the browser path. Consider using QProcess with explicit program and arguments rather than relying on shell parsing. Verify the browser path points to an actual executable file.

Changes

  • utils/gui.py (modified)
  • core/plugin/pluginmanager.py (modified)

tomaioo added 2 commits June 29, 2026 23:10
- Security: Potential Command Injection via Browser Path Configuration
- Security: Unsafe Dynamic Module Loading in Plugin Manager

Signed-off-by: tomaioo <203048277+tomaioo@users.noreply.github.com>
- Security: Potential Command Injection via Browser Path Configuration
- Security: Unsafe Dynamic Module Loading in Plugin Manager

Signed-off-by: tomaioo <203048277+tomaioo@users.noreply.github.com>
@minorua

minorua commented Jul 1, 2026

Copy link
Copy Markdown
Owner

Changing the Qgis2threejs browserPath setting to launch a malicious program is theoretically possible. However, such an attack vector is highly indirect, given that a malicious QGIS plugin already has the ability to execute arbitrary code on the user's system. Additionally, since QProcess.startDetached() passes the program and its arguments separately without invoking a shell, the typical OS command injection vector is effectively eliminated.

Furthermore, this browser path setting is a legacy feature from early versions of Qgis2threejs, originally intended to open exported web pages locally. The upcoming version uses ES modules, which modern browsers block when loaded via the file:// protocol due to CORS restrictions.

Since a local HTTP server is now required to view exported pages and this setting has become obsolete, I will remove the browser path configuration rather than patch it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants