Merge pull request #1742 from maple3142/fix-command-injection

Fix command injection in link handler
ciderapp · Jul 2, 2023 · 58a2eef · 58a2eef
2 parents 723a9e4 + 38e57d5
commit 58a2eef
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/src/main/base/app.ts b/src/main/base/app.ts
@@ -173,7 +173,7 @@ export class AppEvents {
         console.log("token: ", authURI.split("lastfm?token=")[1]);
         utils
           .getWindow()
-          .webContents.executeJavaScript(`ipcRenderer.send('lastfm:auth', "${authURI.split("lastfm?token=")[1]}")`)
+          .webContents.executeJavaScript(`ipcRenderer.send('lastfm:auth', ${JSON.stringify(authURI.split("lastfm?token=")[1])})`)
           .catch(console.error);
       }
     } else if (arg.includes("playpause")) {
@@ -220,7 +220,7 @@ export class AppEvents {
     } else if (arg.includes("/beep")) {
       shell.beep();
     } else {
-      utils.getWindow().webContents.executeJavaScript(`app.appRoute('${arg.split("//")[1]}')`);
+      utils.getWindow().webContents.executeJavaScript(`app.appRoute(${JSON.stringify(arg.split("//")[1])})`);
     }
   }