I don't think a scheme whitelist is a good approach, we can't anticipate what users might input (and what protocols they will use). Testing with Chrome and IE, I get a prompt dialog for protocols it cannot possible know of (adc://). I believe a prompt dialog is sufficient for the most part here as well.
Regarding permissions; I don't know if we can change that, though. If there is a different API than a ShellExecute call that can be made, then we can of course perform that. I'm coming up empty on viable options at MSDN at least, but I've only quickly looked. -- You received this bug notification because you are a member of Dcplusplus-team, which is subscribed to DC++. https://bugs.launchpad.net/bugs/1502650 Title: DC++ 0.851 - Arbitrary code execution Status in DC++: New Bug description: Details and PoC: http://kacperrybczynski.com/research/dcpp_851_arbitrary_code_execution/ By supplying an UNC path in the *.dcext plugin file or main/pm hub chat, a remote file will be automatically downloaded, which can result in arbitrary code execution. To manage notifications about this bug go to: https://bugs.launchpad.net/dcplusplus/+bug/1502650/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~linuxdcpp-team Post to : linuxdcpp-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~linuxdcpp-team More help : https://help.launchpad.net/ListHelp
