This PR contains the following updates:
| Package |
Type |
Update |
Change |
| open |
dependencies |
minor |
5.3.6 → 5.4.0 |
Release Notes
Byron/open-rs (open)
Compare Source
New Features
-
cargo run now shows the exact commands that were tried when opening.
This is useful for debugging, mainly.
Bug Fixes
-
Align WSL PowerShell invocation with Windows
Pass the WSL open target to PowerShell through the OPEN_RS_TARGET
environment variable instead of embedding it in the command string and
escaping it as a single-quoted PowerShell value.
This matches the safer invocation already used by the native Windows
backend. Keeping the PowerShell program fixed ensures that paths and URLs
are treated purely as data, even when they contain quotes, semicolons, or
other PowerShell metacharacters. It also removes the need for custom
PowerShell quoting and avoids converting the target through
to_string_lossy() during command construction.
Add -NonInteractive for consistency with the Windows launcher and update
the WSL tests to verify both the fixed command and the unchanged
environment-variable value.
-
prevent launcher option and shell injection
Opening an attacker-controlled dash-leading path could be interpreted as
launcher options. On Windows, cmd /c start also parsed embedded quotes and
metacharacters as command language, while the legacy gnome-open fallback
could load a module even after a double-dash separator.
Add command-construction regressions for malicious option-shaped paths and
Windows shell metacharacters. Use supported separators on macOS and KDE, and
rewrite dash-leading relative paths for launchers without separator support.
Keep Windows values out of shell syntax by passing the default target through
the environment and invoking custom applications directly, with explorer.exe
as a PowerShell-free fallback.
Exclude cmd-based opening by default, while providing an
explicit insecure Cargo feature for users who need compatibility it
and accept their unsafe handling of untrusted input.
Validated with default and all-feature cargo tests, clippy, and cross-target
cargo check --tests for aarch64 Linux and Windows.
Commit Statistics
- 5 commits contributed to the release.
- 3 commits were understood as conventional.
- 1 unique issue was worked on: #124
Commit Details
view details
- #124
- Prevent launcher option and shell injection (
fd29861)
- Uncategorized
- Merge pull request #126 from Byron/fix-wsl (
bdc3397)
- Align WSL PowerShell invocation with Windows (
7265cae)
- Merge pull request #125 from Byron/open-with-dash-dash (
407b058)
cargo run now shows the exact commands that were tried when opening. (7c19c0a)
Configuration
📅 Schedule: (UTC)
- Branch creation
- Between 12:00 AM and 03:59 AM (
* 0-3 * * *)
- Automerge
- Between 12:00 AM and 03:59 AM (
* 0-3 * * *)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate.
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
| [open](https://github.com/Byron/open-rs) | dependencies | minor | `5.3.6` → `5.4.0` |
---
### Release Notes
<details>
<summary>Byron/open-rs (open)</summary>
### [`v5.4.0`](https://github.com/Byron/open-rs/blob/HEAD/changelog.md#540-2026年07月12日)
[Compare Source](https://github.com/Byron/open-rs/compare/v5.3.6...v5.4.0)
##### New Features
- <csr-id-7c19c0a1a810326b9a9e7542a0992d80adf0a365/> `cargo run` now shows the exact commands that were tried when opening.
This is useful for debugging, mainly.
##### Bug Fixes
- <csr-id-7265cae8c19180c1022d8b1a7fbec815d0264909/> Align WSL PowerShell invocation with Windows
Pass the WSL open target to PowerShell through the OPEN\_RS\_TARGET
environment variable instead of embedding it in the command string and
escaping it as a single-quoted PowerShell value.
This matches the safer invocation already used by the native Windows
backend. Keeping the PowerShell program fixed ensures that paths and URLs
are treated purely as data, even when they contain quotes, semicolons, or
other PowerShell metacharacters. It also removes the need for custom
PowerShell quoting and avoids converting the target through
to\_string\_lossy() during command construction.
Add -NonInteractive for consistency with the Windows launcher and update
the WSL tests to verify both the fixed command and the unchanged
environment-variable value.
- <csr-id-fd29861355bfb981aecdb94d0915f4e41c2686ee/> prevent launcher option and shell injection
Opening an attacker-controlled dash-leading path could be interpreted as
launcher options. On Windows, cmd /c start also parsed embedded quotes and
metacharacters as command language, while the legacy gnome-open fallback
could load a module even after a double-dash separator.
Add command-construction regressions for malicious option-shaped paths and
Windows shell metacharacters. Use supported separators on macOS and KDE, and
rewrite dash-leading relative paths for launchers without separator support.
Keep Windows values out of shell syntax by passing the default target through
the environment and invoking custom applications directly, with explorer.exe
as a PowerShell-free fallback.
Exclude cmd-based opening by default, while providing an
explicit insecure Cargo feature for users who need compatibility it
and accept their unsafe handling of untrusted input.
Validated with default and all-feature cargo tests, clippy, and cross-target
cargo check --tests for aarch64 Linux and Windows.
##### Commit Statistics
<csr-read-only-do-not-edit/>
- 5 commits contributed to the release.
- 3 commits were understood as [conventional](https://www.conventionalcommits.org).
- 1 unique issue was worked on: [#​124](https://github.com/Byron/open-rs/issues/124)
##### Commit Details
<csr-read-only-do-not-edit/>
<details><summary>view details</summary>
- **[#​124](https://github.com/Byron/open-rs/issues/124)**
- Prevent launcher option and shell injection ([`fd29861`](https://github.com/Byron/open-rs/commit/fd29861355bfb981aecdb94d0915f4e41c2686ee))
- **Uncategorized**
- Merge pull request [#​126](https://github.com/Byron/open-rs/issues/126) from Byron/fix-wsl ([`bdc3397`](https://github.com/Byron/open-rs/commit/bdc33978cdbfa1defef31e23659af4ba4a8913b0))
- Align WSL PowerShell invocation with Windows ([`7265cae`](https://github.com/Byron/open-rs/commit/7265cae8c19180c1022d8b1a7fbec815d0264909))
- Merge pull request [#​125](https://github.com/Byron/open-rs/issues/125) from Byron/open-with-dash-dash ([`407b058`](https://github.com/Byron/open-rs/commit/407b05879efb2b33c4e51fa15d77b49fa748a241))
- `cargo run` now shows the exact commands that were tried when opening. ([`7c19c0a`](https://github.com/Byron/open-rs/commit/7c19c0a1a810326b9a9e7542a0992d80adf0a365))
</details>
</details>
---
### Configuration
📅 **Schedule**: (UTC)
- Branch creation
- Between 12:00 AM and 03:59 AM (`* 0-3 * * *`)
- Automerge
- Between 12:00 AM and 03:59 AM (`* 0-3 * * *`)
🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box
---
This PR has been generated by [Mend Renovate](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yNjAuMCIsInVwZGF0ZWRJblZlciI6IjQzLjI2MC4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->