Fierelier/notepad-plus-plus-legacy
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

[EURO-FOSSA] Fix a vunerability from "Search on Internet" command

Browse Source 
Restrict the usage of customized search engine on only "http://" or "https://" url schema to avoid whatever application can be launched via "Search on Internet" command.
This commit is contained in:
Don HO 2019-02-20 00:34:28 +01:00
parent 5bcf55c59e
commit b90be4a05b
1 changed files with 7 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
PowerEditor/src/NppCommands.cpp
View File

@ -458,14 +458,16 @@ void Notepad_plus::command(int id)
generic_string url;
if (nppGui._searchEngineChoice == nppGui.se_custom)
{
if (nppGui._searchEngineCustom.empty())
url = nppGui._searchEngineCustom;
remove_if(url.begin(), url.end(), isspace);
auto httpPos = url.find(TEXT("http://"));
auto httpsPos = url.find(TEXT("https://"));
if (url.empty() || (httpPos != 0 && httpsPos != 0)) // if string is not a url (for launching only browser)
{
url = TEXT("https://www.google.com/search?q=$(CURRENT_WORD)");
}
else
{
url = nppGui._searchEngineCustom.c_str();
}
}
else if (nppGui._searchEngineChoice == nppGui.se_duckDuckGo)
{