Skip to content

Security: Remove unsafe PowerShell fallback in WSL #866

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
RinCodeForge927 wants to merge 1 commit into
base: dev
Choose a base branch
from
Open

Security: Remove unsafe PowerShell fallback in WSL #866

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 3 additions & 10 deletions msal/oauth2cli/authcode.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -75,16 +75,9 @@ def _browse(auth_uri, browser_name=None): # throws ImportError, webbrowser.Erro
browser_opened = webbrowser.open(auth_uri)

# In WSL which doesn't have www-browser, try launching browser with PowerShell
if not browser_opened and is_wsl():
try:
import subprocess
# https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_powershell_exe
# Ampersand (&) should be quoted
exit_code = subprocess.call(
['powershell.exe', '-NoProfile', '-Command', 'Start-Process "{}"'.format(auth_uri)])
browser_opened = exit_code == 0
except FileNotFoundError: # WSL might be too old
pass
# VULNERABILITY FIX: The original subprocess.call fallback was removed due to
# a Command Injection vulnerability (CVE-202X-XXXX).
# Please rely on the standard webbrowser module or ensure 'wslview' is configured.
return browser_opened


Expand Down