Merge pull request #1003 from thomasgl-orange/execFile

prevent arbitrary command execution via URL when using --defaultURLHandler

app/mainAppWindow/index.js

@@ -10,7 +10,7 @@ const { StreamSelector } = require('../streamSelector');
 const { LucidLog } = require('lucid-log');
 const { SpellCheckProvider } = require('../spellCheckProvider');
 const { httpHelper } = require('../helpers');
-const exec = require('child_process').exec;
+const execFile = require('child_process').execFile;
 const TrayIconChooser = require('../browser/tools/trayIconChooser');
 // eslint-disable-next-line no-unused-vars
 const { AppConfiguration } = require('../appConfiguration');
@@ -360,7 +360,7 @@ function secureOpenLink(details) {
 
 function openInBrowser(details) {
 	if (config.defaultURLHandler.trim() !== '') {
-		exec(`${config.defaultURLHandler.trim()} "${details.url}"`, openInBrowserErrorHandler);
+		execFile(config.defaultURLHandler.trim(), [details.url], openInBrowserErrorHandler);
 	} else {
 		shell.openExternal(details.url);
 	}

com.github.IsmaelMartinez.teams_for_linux.appdata.xml

@@ -14,6 +14,13 @@
 	<url type="bugtracker">https://github.com/IsmaelMartinez/teams-for-linux/issues</url>
 	<launchable type="desktop-id">com.github.IsmaelMartinez.teams_for_linux.desktop</launchable>
 	<releases>
+		<release version="1.3.17" date="2023-10-30">
+			<description>
+				<ul>
+					<li>Fix: Avoid calling child_process.exec with untrusted string</li>
+				</ul>
+			</description>
+		</release>
 		<release version="1.3.16" date="2023-10-30">
 			<description>
 				<ul>

package.json

@@ -1,6 +1,6 @@
 {
   "name": "teams-for-linux",
-  "version": "1.3.16",
+  "version": "1.3.17",
   "main": "app/index.js",
   "description": "Unofficial client for Microsoft Teams for Linux",
   "homepage": "https://github.com/IsmaelMartinez/teams-for-linux",