devol
/
searx
mirror of https://github.com/searx/searx
1
0
Fork 0
Code Issues Releases Wiki Activity

Fix quoting issue in search_operator plugin (#3479)

This commit is contained in:
Grant Lanham Jr 2023-04-05 03:28:58 -04:00 committed by GitHub
parent 48eb13cf4c
commit 75b859d2a8
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 5 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
searx/plugins/search_operators.py
View File

@ -11,7 +11,11 @@ default_on = False
def on_result(request, search, result):
q = search.search_query.query
qs = shlex.split(q)
# WARN: shlex.quote is designed only for Unix shells and may be vulnerable
# to command injection on non-POSIX compliant shells (Windows)
# https://docs.python.org/3/library/shlex.html#shlex.quote
squote = shlex.quote(q)
qs = shlex.split(squote)
spitems = [x.lower() for x in qs if ' ' in x]
mitems = [x.lower() for x in qs if x.startswith('-')]
siteitems = [x.lower() for x in qs if x.startswith('site:')]