github/qBittorrent
1
0
Fork 0
mirror of https://github.com/qbittorrent/qBittorrent synced 2025-07-05 12:45:58 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

WebAPI: Trim leading whitespaces on Run External Program fields

Browse source 
Hacked qbt instances may contain malicious script placed in Run External Program and the script
will attempt to hide itself by adding a lot whitespaces at the start of the command string.
Users may mistake the field of being empty but is actually not.
So trim the leading whitespaces to easily expose the malicious script.

Note that GUI already trim the fields and only WebAPI doesn't trim them. This patch will unify
the behavior.
Related: https://github.com/qbittorrent/docker-qbittorrent-nox/issues/71#issuecomment-2993567440

PR #22939.
This commit is contained in:
Chocobo1 2025-06-30 01:39:03 +08:00 committed by GitHub
parent 690a139538
commit 70a6153b78
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 2 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

4
src/webui/api/appcontroller.cpp
View file

@ -682,12 +682,12 @@ void AppController::setPreferencesAction()
if (hasKey(u"autorun_on_torrent_added_enabled"_s))
pref->setAutoRunOnTorrentAddedEnabled(it.value().toBool());
if (hasKey(u"autorun_on_torrent_added_program"_s))
pref->setAutoRunOnTorrentAddedProgram(it.value().toString());
pref->setAutoRunOnTorrentAddedProgram(it.value().toString().trimmed());
// Run an external program on torrent finished
if (hasKey(u"autorun_enabled"_s))
pref->setAutoRunOnTorrentFinishedEnabled(it.value().toBool());
if (hasKey(u"autorun_program"_s))
pref->setAutoRunOnTorrentFinishedProgram(it.value().toString());
pref->setAutoRunOnTorrentFinishedProgram(it.value().toString().trimmed());
// Connection
// Listening Port