A remote code execution vulnerability has been discovered affecting Electron apps that use custom protocol handlers. This vulnerability has been assigned the CVE identifier CVE-2018-1000006.
Affected Platforms
Electron apps designed to run on Windows that register themselves as the default handler for a protocol, like myapp://, are vulnerable.
Such apps can be affected regardless of how the protocol is registered, e.g. using native code, the Windows registry, or Electron's app.setAsDefaultProtocolClient API.
macOS and Linux are not vulnerable to this issue.
Mitigation
We've published new versions of Electron which include fixes for this vulnerability: 1.8.2-beta.5, 1.7.12, and 1.6.17. We urge all Electron developers to update their apps to the latest stable version immediately.
如果由于某些原因,您无法升级您的 Electron 版本, 在调用 应用时,您可以添加 -- 作为最后一个参数。 etAsdefaultProtocol客户端, 防止Chromium 解析更多选项。 The double dash -- signifies the end of command options, after which only positional parameters are accepted.
app.setAsDefaultProtocolClient(protocol, process.execPath, [
'--your-switches-here',
'--',
]);
更多详情请参阅 app.setAssDefaultProtocol客户端 API。
要了解更多关于维护您的 Electron 应用安全的最佳做法, 请参阅我们的 安全教程
If you wish to report a vulnerability in Electron, email security@electronjs.org.