Prompt the user before executing a command in a cmd:// URL#235
Merged
phoerious merged 1 commit intokeepassxreboot:developfrom Jan 28, 2017
Throne3d:fix/51-prompt-before-cmd
Merged
Prompt the user before executing a command in a cmd:// URL#235phoerious merged 1 commit intokeepassxreboot:developfrom Throne3d:fix/51-prompt-before-cmd
phoerious merged 1 commit intokeepassxreboot:developfrom
Throne3d:fix/51-prompt-before-cmd
Conversation
Member
|
Not that your changes would break anything, but have you also tested with -DWITH_GUI_TESTS=ON? Those are usually the most important ones when you modify the UI. |
Contributor
Author
|
I did, yes. Forgot to mention. |
phoerious
requested changes
Jan 27, 2017
src/gui/DatabaseWidget.cpp
Outdated
| result = MessageBox::question( | ||
| this, tr("Execute command?"), | ||
| tr("Do you really want to execute the following command?<br><br>%1") | ||
| .arg(urlString), |
Member
There was a problem hiding this comment.
You should use urlString.toHtmlEscaped() here to prevent evaluation of HTML contents.
Member
There was a problem hiding this comment.
You should probably also truncate it if it is too long. Otherwise the message box will be gigantic for very long commands.
Fixes #51. (Does not have a "don't ask me anymore" option.)
phoerious
approved these changes
Jan 28, 2017
Member
|
Merged. Thanks for the patch! |
droidmonkey
added a commit
that referenced
this pull request
Jun 25, 2017
- Added YubiKey 2FA integration for unlocking databases [#127] - Added TOTP support [#519] - Added CSV import tool [#146, #490] - Added KeePassXC CLI tool [#254] - Added diceware password generator [#373] - Added support for entry references [#370, #378] - Added support for Twofish encryption [#167] - Enabled DEP and ASLR for in-memory protection [#371] - Enabled single instance mode [#510] - Enabled portable mode [#645] - Enabled database lock on screensaver and session lock [#545] - Redesigned welcome screen with common features and recent databases [#292] - Multiple updates to search behavior [#168, #213, #374, #471, #603, #654] - Added auto-type fields {CLEARFIELD}, {SPACE}, {{}, {}} [#267, #427, #480] - Fixed auto-type errors on Linux [#550] - Prompt user prior to executing a cmd:// URL [#235] - Entry attributes can be protected (hidden) [#220] - Added extended ascii to password generator [#538] - Added new database icon to toolbar [#289] - Added context menu entry to empty recycle bin in databases [#520] - Added "apply" button to entry and group edit windows [#624] - Added macOS tray icon and enabled minimize on close [#583] - Fixed issues with unclean shutdowns [#170, #580] - Changed keyboard shortcut to create new database to CTRL+SHIFT+N [#515] - Compare window title to entry URLs [#556] - Implemented inline error messages [#162] - Ignore group expansion and other minor changes when making database "dirty" [#464] - Updated license and copyright information on souce files [#632] - Added contributors list to about dialog [#629]
phoerious
added
pr: new feature
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
When the user selects to open a
cmd://URL, prompt them to ask, "Do you really want to execute the following command?"(Does not have a "don't ask me anymore" option.)
Motivation and Context
Fixes #51.
Not having worked with Qt (ever) or C++ (much) in the past, I copied the code from the
DatabaseWidget::deleteEntriesmethod to prompt the user and adjusted it appropriately. Looking at an example on the Qt website, I realized you could insert HTML into the text for message boxes. I wasn't sure whether to use<br><br>,<br /><br />, or<p>to produce the linebreak effect, or whether I should just not attempt that at all and instead should embed it into the question (e.g."Are you sure you want to run the command '%1'?"). I couldn't see any other instances of<br/?>or<p>in the code.How Has This Been Tested?
I created two entries in a database – one with
http://example.comas a URL and one instead withcmd://echo this could be a malicious command. Pressing the "Open URL" button in the context menu for the former opens the URL with no prompt, and with the latter produces the aforementioned message box. Clicking 'No' on the message box produces no output, and clicking 'Yes' produces 'this could be a malicious command' in the terminal.Running the tests (
DWITH_TESTS=ONandmake test) produced no failures.Screenshots (if appropriate):
https://i.gyazo.com/4fe418a1998c89a8fc901a936256643d.png
Types of changes
Checklist: