[Bug] Shell input not sanitised in websearch plugin
00-kat opened this issue · comments
I'm not too sure if this is an issue or not since it is in your config after all, however if I have the following config:
Config(
engines: [
Custom(
name: "click me",
url: "somewhere.com/something?q={} && echo hehe > /tmp/test.txt",
),
],
)
Then run it Anyrun and search for something, I see a file /tmp/test.txt
with the contents hehe
.
My only guess as to when this might be problematic is if you have something like somewhere.com/something?q={}&something=something
, it might be possible to accidentally run shell commands instead of going where you want to (actually I remember I was affected by this bug when I was trying to add the Arch Wiki, because the URL had &
s in it).
Oops I think I might have opened the issue in the wrong repository; it also seems to be a duplicate of anyrun-org/plugin-websearch#1.