mirror of
https://github.com/microsoft/PowerToys.git
synced 2026-07-10 20:39:11 +02:00
## Summary of the Pull Request Fixes a command breakout vulnerability in the Shell plugin where user input containing double quotes could be manipulated to execute arbitrary sub-processes. By escaping double quotes, inputs like `test" & calc.exe` are treated as literal strings rather than shell command separators. ## PR Checklist - [ ] Closes: #xxx - [x] **Communication:** Proactive fix for command execution logic. - [x] **Tests:** Verified locally. - [x] **Localization:** N/A - [x] **Dev docs:** N/A - [x] **New binaries:** N/A - [x] **Documentation updated:** N/A ## Detailed Description of the Pull Request / Additional comments Escaping double quotes in the command string before it is passed to the shell prevents the breakout vector I identified while still allowing environment variables to expand as expected. I also removed some redundant property assignments in the shell helpers to keep the logic focused on the core fix. ## Validation Steps Performed Standard diagnostic commands like `ping` and `ipconfig` continue to function as expected via PowerToys Run. Malicious strings designed to break out of quotes now fail to execute sub-commands, as confirmed during local verification. --------- Co-authored-by: LegendaryBlair <legendaryblair@icloud.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>