From 39ee796ce03148fdd953abe2d79ec24e2826611a Mon Sep 17 00:00:00 2001 From: Julien Ponge Date: Thu, 29 Jul 2021 15:40:28 +0200 Subject: [PATCH] Pass arguments arrays to Runtime::exec Code scanning tools as in https://github.com/quarkusio/quarkus/security can flag this as a vulnerability. In this case the URL is actually going to be safe, but it's still a better practice not to concatenate arguments as a String. --- .../deployment/devmode/console/DevConsoleProcessor.java | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/extensions/vertx-http/deployment/src/main/java/io/quarkus/vertx/http/deployment/devmode/console/DevConsoleProcessor.java b/extensions/vertx-http/deployment/src/main/java/io/quarkus/vertx/http/deployment/devmode/console/DevConsoleProcessor.java index 8a84e13f6da5f..0ad31bf20bebf 100644 --- a/extensions/vertx-http/deployment/src/main/java/io/quarkus/vertx/http/deployment/devmode/console/DevConsoleProcessor.java +++ b/extensions/vertx-http/deployment/src/main/java/io/quarkus/vertx/http/deployment/devmode/console/DevConsoleProcessor.java @@ -483,13 +483,13 @@ private void openBrowser(HttpRootPathBuildItem rp, NonApplicationRootPathBuildIt try { switch (os) { case MAC: - rt.exec("open " + url); + rt.exec(new String[] { "open", url }); break; case LINUX: - rt.exec("xdg-open " + url); + rt.exec(new String[] { "xdg-open", url }); break; case WINDOWS: - rt.exec("rundll32 url.dll,FileProtocolHandler " + url); + rt.exec(new String[] { "rundll32 url.dll,FileProtocolHandler", url }); break; case OTHER: log.error("Cannot launch browser on this operating system");