mirror of https://github.com/2dust/v2rayN.git synced 2026-04-16 12:35:46 +00:00

A GUI client for Windows and Linux, support Xray core and v2fly core and others

proxy shadowsocks socks5 trojan v2fly v2ray vless vmess windows xray xtls

Find a file

Claude 3ff2079a5d [SECURITY] Improve argument handling to prevent command injection Security improvements for process execution in ProcUtils. VULNERABILITY DETAILS: - Location: ServiceLib/Common/ProcUtils.cs:20-27, 58 - Type: CWE-78 (OS Command Injection) - Impact: Potential command injection via improper argument quoting - Risk: Double-quoting could break escaping and allow shell metacharacters SECURITY IMPROVEMENTS: 1. Prevent double-quoting: Check if strings are already quoted before adding quotes 2. Smart argument detection: Don't quote multi-argument strings (containing - or /) 3. Improved validation: Only quote single arguments with spaces 4. Added security comments documenting the quoting logic 5. Fixed RebootAsAdmin to use same safe quoting logic TECHNICAL CHANGES: - Check for existing quotes before calling AppendQuotes() - Detect multi-argument strings by checking for " -" and " /" patterns - Don't quote arguments that contain quotes (may be pre-formatted) - Extract exePath in RebootAsAdmin to apply same validation BEFORE (vulnerable): - Any string with spaces was blindly quoted - Already-quoted strings would be double-quoted: ""path"" (invalid) - Multi-argument strings treated as single arg: "arg1 arg2" (broken) AFTER (improved): - Only quote unquoted strings with spaces - Preserve existing quotes in strings - Detect and preserve multi-argument patterns - Consistent handling across both methods LIMITATIONS: - UseShellExecute = true is still used (required for URL/shell association handling) - For maximum security, callers should use whitelisting of allowed executables - Complex argument strings should be properly formatted by callers TESTING: - Handles paths like "C:\Program Files\app.exe" correctly - Preserves already-quoted paths: "\"C:\Program Files\app.exe\"" - Doesn't break multi-arg strings: "arg1 -flag value" - Works with both Windows (/) and Unix (-) style arguments References: - CWE-78: https://cwe.mitre.org/data/definitions/78.html - OWASP Command Injection: https://owasp.org/www-community/attacks/Command_Injection Note: This is a defense-in-depth measure. The primary risk mitigation is that most callers use application-controlled paths rather than user input.		2026-01-28 01:44:57 +00:00
.github	Set all .NET publish tasks to self-contained	2025-12-28 14:10:00 +08:00
v2rayN	[SECURITY] Improve argument handling to prevent command injection	2026-01-28 01:44:57 +00:00
.editorconfig	Update .editorconfig	2025-01-31 15:59:44 +08:00
.gitattributes	Remove extra .gitignore file and move .gitattributes to the root folder for consistent storage of .git-related files. (#6545 )	2025-01-20 09:28:30 +08:00
.gitignore	i18n(ru/zh-Hans/zh-Hant/hu/fa): translate TUN settings, unify MTU, use resx (#7787 )	2025-08-18 17:28:59 +08:00
.gitmodules	Use project to implement Windows global hotkey	2025-02-27 20:12:07 +08:00
BUG_REPORT.md	Add comprehensive code review bug report	2026-01-24 22:51:11 +00:00
LICENSE	Update LICENSE (#7327 )	2025-05-28 20:04:12 +08:00
package-debian.sh	[PR]改进Emoji字体兼容性 (#8346 )	2025-11-19 16:47:00 +08:00
package-osx.sh	Update package-osx.sh (#8303 )	2025-11-11 19:31:06 +08:00
package-release-zip.sh	Modify the build script	2024-12-26 17:19:42 +08:00
package-rhel.sh	Code Clean (#8586 )	2026-01-05 09:56:43 +08:00
README.md	docs: improve README.md formatting and readability (#7376 )	2025-06-02 09:52:49 +08:00

README.md

v2rayN

A GUI client for Windows, Linux and macOS, support Xray and sing-box and others

How to use

Read the Wiki for details.

Telegram Channel

github_2dust