From 2ef96eb218f788c51870e0d68c737e62adbb25ff Mon Sep 17 00:00:00 2001
From: Chocobo1 <Chocobo1@users.noreply.github.com>
Date: Thu, 18 Jul 2019 22:36:40 +0800
Subject: [PATCH] Prevent command injection via "Run external program" function

---
 src/app/application.cpp | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/app/application.cpp b/src/app/application.cpp
index 1f06340e4..9ee888fa9 100644
--- a/src/app/application.cpp
+++ b/src/app/application.cpp
@@ -332,7 +332,11 @@ void Application::runExternalProgram(const BitTorrent::TorrentHandle *torrent) c
 
     ::LocalFree(args);
 #else
-    QProcess::startDetached(QLatin1String("/bin/sh"), {QLatin1String("-c"), program});
+    // Cannot give users shell environment by default, as doing so could
+    // enable command injection via torrent name and other arguments
+    // (especially when some automated download mechanism has been setup).
+    // See: https://github.com/qbittorrent/qBittorrent/issues/10925
+    QProcess::startDetached(program);
 #endif
 }