On 10/30/24 7:43 PM, Sec Guy wrote: > The secondary impact for all platforms is the update RSS feed can be > poisoned with malicious update URLs which the user will open in their > browser if they accept the prompt to update. This is browser hijacking and > arbitrary exe delivery to a user who would likely trust whatever URL this > software sent them to.
I researched this for our tracking ticket: https://bugs.gentoo.org/942569 The update RSS feed is activated here: https://github.com/qbittorrent/qBittorrent/blob/84d895231cb5b67661042deae22d14b5f386342b/src/gui/mainwindow.cpp#L308C1-L316 Dialog: https://github.com/qbittorrent/qBittorrent/blob/84d895231cb5b67661042deae22d14b5f386342b/src/gui/mainwindow.cpp#L1628-L1682 CheckProgramUpdate: https://github.com/qbittorrent/qBittorrent/blob/84d895231cb5b67661042deae22d14b5f386342b/src/gui/mainwindow.cpp#L1857-L1875 Settings loader: https://github.com/qbittorrent/qBittorrent/blob/84d895231cb5b67661042deae22d14b5f386342b/src/gui/mainwindow.cpp#L1413-L1430 Prefs window: https://github.com/qbittorrent/qBittorrent/blob/84d895231cb5b67661042deae22d14b5f386342b/src/base/preferences.cpp#L1372-L1385 All this code is conditionally compiled under the condition: #if defined(Q_OS_WIN) || defined(Q_OS_MACOS) So, this secondary impact is, like the first impact, only an impact on certain platforms -- two this time, instead of just one. -- Eli Schwartz
OpenPGP_signature.asc
Description: OpenPGP digital signature
