paulmataruso/zulip-desktop
1
0
Fork 0
mirror of https://github.com/zulip/zulip-desktop.git synced 2025-11-03 13:33:18 +00:00
Code Issues Packages Projects Releases Wiki Activity

CVE-2020-10857: Whitelist safe URL protocols for shell.openExternal.

Browse Source 
Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
This commit is contained in:
Anders Kaseorg
2020-03-22 21:37:48 -07:00
parent af59bb7c99
commit a03f569af9
10 changed files with 62 additions and 36 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
app/main/autoupdater.ts
View File

@@ -1,10 +1,11 @@
import { app, dialog, shell } from 'electron';
import { app, dialog } from 'electron';
import { autoUpdater } from 'electron-updater';
import { linuxUpdateNotification } from './linuxupdater'; // Required only in case of linux
import log from 'electron-log';
import isDev from 'electron-is-dev';
import * as ConfigUtil from '../renderer/js/utils/config-util';
import * as LinkUtil from '../renderer/js/utils/link-util';
export function appUpdater(updateFromMenu = false): void {
// Don't initiate auto-updates in development
@@ -72,7 +73,7 @@ export function appUpdater(updateFromMenu = false): void {
Current Version: ${app.getVersion()}`
});
if (response === 0) {
shell.openExternal('https://zulipchat.com/apps/');
LinkUtil.openBrowser(new URL('https://zulipchat.com/apps/'));
}
// Remove all autoUpdator listeners so that next time autoUpdator is manually called these
// listeners don't trigger multiple times.