mirror of
https://github.com/electron/electron.git
synced 2026-05-02 03:00:22 -04:00
0e6e480a8b
fix: validate protocol scheme names in setAsDefaultProtocolClient On Windows, `app.setAsDefaultProtocolClient(protocol)` directly concatenates the protocol string into the registry key path with no validation. A protocol name containing `\` could write to an arbitrary subkey under `HKCU\Software\Classes\`, potentially hijacking existing protocol handlers. To fix this, add `Browser::IsValidProtocolScheme()` which validates that a protocol name conforms to the RFC 3986 scheme grammar: scheme = ALPHA *( ALPHA / DIGIT / "+" / "-" / "." ) This rejects backslashes, forward slashes, whitespace, and any other characters not permitted in URI schemes. Co-authored-by: trop[bot] <37223003+trop[bot]@users.noreply.github.com> Co-authored-by: Shelley Vohr <shelley.vohr@gmail.com>
7.0 KiB
7.0 KiB