From b90be4a05b36e8e9117a8fd1e5b134894640fec0 Mon Sep 17 00:00:00 2001
From: Don HO <don.h@free.fr>
Date: Wed, 20 Feb 2019 00:34:28 +0100
Subject: [PATCH] [EURO-FOSSA] Fix a vunerability from "Search on Internet"
 command

Restrict the usage of customized search engine on only "http://" or "https://" url schema to avoid whatever application can be launched via "Search on Internet" command.
---
 PowerEditor/src/NppCommands.cpp | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/PowerEditor/src/NppCommands.cpp b/PowerEditor/src/NppCommands.cpp
index 3047365f..359ec209 100644
--- a/PowerEditor/src/NppCommands.cpp
+++ b/PowerEditor/src/NppCommands.cpp
@@ -458,14 +458,16 @@ void Notepad_plus::command(int id)
 			generic_string url;
 			if (nppGui._searchEngineChoice == nppGui.se_custom)
 			{
-				if (nppGui._searchEngineCustom.empty())
+				url = nppGui._searchEngineCustom;
+				remove_if(url.begin(), url.end(), isspace);
+
+				auto httpPos = url.find(TEXT("http://"));
+				auto httpsPos = url.find(TEXT("https://"));
+
+				if (url.empty() || (httpPos != 0 && httpsPos != 0)) // if string is not a url (for launching only browser)
 				{
 					url = TEXT("https://www.google.com/search?q=$(CURRENT_WORD)");
 				}
-				else
-				{
-					url = nppGui._searchEngineCustom.c_str();
-				}
 			}
 			else if (nppGui._searchEngineChoice == nppGui.se_duckDuckGo)
 			{