From ce6404bc312b6094178be1fb7ea29938be4d17d0 Mon Sep 17 00:00:00 2001
From: Thomas de Grenier de Latour <thomas.degrenierdelatour@orange.com>
Date: Mon, 30 Oct 2023 17:02:14 +0100
Subject: [PATCH 1/2] replace exec with execFile

---
 app/mainAppWindow/index.js | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/app/mainAppWindow/index.js b/app/mainAppWindow/index.js
index 4b06d8ea..40447ddb 100644
--- a/app/mainAppWindow/index.js
+++ b/app/mainAppWindow/index.js
@@ -10,7 +10,7 @@ const { StreamSelector } = require('../streamSelector');
 const { LucidLog } = require('lucid-log');
 const { SpellCheckProvider } = require('../spellCheckProvider');
 const { httpHelper } = require('../helpers');
-const exec = require('child_process').exec;
+const execFile = require('child_process').execFile;
 const TrayIconChooser = require('../browser/tools/trayIconChooser');
 // eslint-disable-next-line no-unused-vars
 const { AppConfiguration } = require('../appConfiguration');
@@ -360,7 +360,7 @@ function secureOpenLink(details) {
 
 function openInBrowser(details) {
 	if (config.defaultURLHandler.trim() !== '') {
-		exec(`${config.defaultURLHandler.trim()} "${details.url}"`, openInBrowserErrorHandler);
+		execFile(config.defaultURLHandler.trim(), [details.url], openInBrowserErrorHandler);
 	} else {
 		shell.openExternal(details.url);
 	}

From 2df43429a07c294ef06b5bcf63d3403088d41131 Mon Sep 17 00:00:00 2001
From: Thomas de Grenier de Latour <thomas.degrenierdelatour@orange.com>
Date: Mon, 30 Oct 2023 17:24:48 +0100
Subject: [PATCH 2/2] prepare release 1.3.17

---
 com.github.IsmaelMartinez.teams_for_linux.appdata.xml | 7 +++++++
 package.json                                          | 2 +-
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/com.github.IsmaelMartinez.teams_for_linux.appdata.xml b/com.github.IsmaelMartinez.teams_for_linux.appdata.xml
index aa893213..0296d87f 100644
--- a/com.github.IsmaelMartinez.teams_for_linux.appdata.xml
+++ b/com.github.IsmaelMartinez.teams_for_linux.appdata.xml
@@ -14,6 +14,13 @@
 	<url type="bugtracker">https://github.com/IsmaelMartinez/teams-for-linux/issues</url>
 	<launchable type="desktop-id">com.github.IsmaelMartinez.teams_for_linux.desktop</launchable>
 	<releases>
+		<release version="1.3.17" date="2023-10-30">
+			<description>
+				<ul>
+					<li>Fix: Avoid calling child_process.exec with untrusted string</li>
+				</ul>
+			</description>
+		</release>
 		<release version="1.3.16" date="2023-10-30">
 			<description>
 				<ul>
diff --git a/package.json b/package.json
index 45fcda0b..489b7f0d 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "teams-for-linux",
-  "version": "1.3.16",
+  "version": "1.3.17",
   "main": "app/index.js",
   "description": "Unofficial client for Microsoft Teams for Linux",
   "homepage": "https://github.com/IsmaelMartinez/teams-for-linux",