From 75b859d2a897ceb3408c63390fc71034708f9f05 Mon Sep 17 00:00:00 2001 From: Grant Lanham Jr Date: Wed, 5 Apr 2023 03:28:58 -0400 Subject: [PATCH] Fix quoting issue in search_operator plugin (#3479) --- searx/plugins/search_operators.py | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/searx/plugins/search_operators.py b/searx/plugins/search_operators.py index 59125daf..3dd2da8c 100644 --- a/searx/plugins/search_operators.py +++ b/searx/plugins/search_operators.py @@ -11,7 +11,11 @@ default_on = False def on_result(request, search, result): q = search.search_query.query - qs = shlex.split(q) + # WARN: shlex.quote is designed only for Unix shells and may be vulnerable + # to command injection on non-POSIX compliant shells (Windows) + # https://docs.python.org/3/library/shlex.html#shlex.quote + squote = shlex.quote(q) + qs = shlex.split(squote) spitems = [x.lower() for x in qs if ' ' in x] mitems = [x.lower() for x in qs if x.startswith('-')] siteitems = [x.lower() for x in qs if x.startswith('site:')]