fix: allow & in URLs for query parameters in OpenURL()
Remove & from rejected shell metacharacters since URLs legitimately use & for query parameters (e.g., ?key=val&key2=val2). The remaining checks still prevent command injection via other metacharacters.
This commit is contained in:
parent
872dbb7264
commit
674e4c863b
|
|
@ -1192,9 +1192,9 @@ void OpenURL(const char *url)
|
|||
{
|
||||
// Security check to avoid malicious code injection
|
||||
if (strchr(url, '\'') != NULL || strchr(url, '"') != NULL ||
|
||||
strchr(url, '&') != NULL || strchr(url, '|') != NULL ||
|
||||
strchr(url, ';') != NULL || strchr(url, '`') != NULL ||
|
||||
strchr(url, '$') != NULL || strchr(url, '\\') != NULL)
|
||||
strchr(url, '|') != NULL || strchr(url, ';') != NULL ||
|
||||
strchr(url, '`') != NULL || strchr(url, '$') != NULL ||
|
||||
strchr(url, '\\') != NULL)
|
||||
{
|
||||
TRACELOG(LOG_WARNING, "SYSTEM: Provided URL contains potentially dangerous characters");
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue
Block a user