I would like to report command injection in
It allows to inject arbitrary shell commands by specifing crafted urls.
module name: open
> Open a file or url in the user's preferred application.
31 293 downloads in the last day 473 107 downloads in the last week 1 968 932 downloads in the last month
~23 627 184 estimated downloads per year
Urls are not properly escaped before concatenating them into the command that is opened using
/tmp/tada/ file created.
User A who can pass urls for them being
open-ed on machine B can execute arbitrary shell commands on machine B.