github/qBittorrent
1
0
Fork 0
mirror of https://github.com/qbittorrent/qBittorrent synced 2025-08-20 21:33:27 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

WebAPI: Trim leading whitespaces on Run External Program fields

Browse source 
Hacked qbt instances may contain malicious script placed in Run External Program and the script
will attempt to hide itself by adding a lot whitespaces at the start of the command string.
Users may mistake the field of being empty but is actually not.
So trim the leading whitespaces to easily expose the malicious script.

Note that GUI already trim the fields and only WebAPI doesn't trim them. This patch will unify
the behavior.
Related: https://github.com/qbittorrent/docker-qbittorrent-nox/issues/71#issuecomment-2993567440

PR #22939.
This commit is contained in:
Chocobo1 2025-06-30 01:39:03 +08:00 committed by Vladimir Golovnev (glassez)
commit 9b29d37d21
No known key found for this signature in database
GPG key ID: 52A2C7DEE2DFA6F7
1 changed files with 2 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

4
src/webui/api/appcontroller.cpp
View file

@ -673,12 +673,12 @@ void AppController::setPreferencesAction()
if (hasKey(u"autorun_on_torrent_added_enabled"_s))
pref->setAutoRunOnTorrentAddedEnabled(it.value().toBool());
if (hasKey(u"autorun_on_torrent_added_program"_s))
pref->setAutoRunOnTorrentAddedProgram(it.value().toString());
pref->setAutoRunOnTorrentAddedProgram(it.value().toString().trimmed());
// Run an external program on torrent finished
if (hasKey(u"autorun_enabled"_s))
pref->setAutoRunOnTorrentFinishedEnabled(it.value().toBool());
if (hasKey(u"autorun_program"_s))
pref->setAutoRunOnTorrentFinishedProgram(it.value().toString());
pref->setAutoRunOnTorrentFinishedProgram(it.value().toString().trimmed());
// Connection
// Listening Port