starred/qBittorrent
1
0
Fork 0
mirror of https://github.com/qbittorrent/qBittorrent.git synced 2026-03-02 22:57:32 -05:00
Code Issues 2.6k Projects Packages Wiki Activity

"run external program" should not be settable via the WebUI/API #16974

New issue
Open
opened 2026-02-22 03:34:40 -05:00 by deekerman · 12 comments
deekerman commented 2026-02-22 03:34:40 -05:00
Owner
Copy link

Originally created by @majora2007 on GitHub (Jun 22, 2025).

qBittorrent & operating system versions

qBittorrent: 5.0.3 x64
Operating system: Windows 10
Qt: 6.7.3

What is the problem?

When qbittorrent webui/api are enabled, setting "run external program" is allowed to be set. If your password is broken, a hijacker can quickly install a script on your machine.

I believe this setting should be modifiable only via the app and not via the webui.

Steps to reproduce

No response

Additional context

Image

Log(s) & preferences file(s)

N/A

Originally created by @majora2007 on GitHub (Jun 22, 2025). ### qBittorrent & operating system versions qBittorrent: 5.0.3 x64 Operating system: Windows 10 Qt: 6.7.3 ### What is the problem? When qbittorrent webui/api are enabled, setting "run external program" is allowed to be set. If your password is broken, a hijacker can quickly install a script on your machine. I believe this setting should be modifiable only via the app and not via the webui. ### Steps to reproduce _No response_ ### Additional context ![Image](https://github.com/user-attachments/assets/1e1ee394-2cde-4b8d-9cd1-17980d7f0984) ### Log(s) & preferences file(s) N/A
deekerman commented 2026-02-22 03:34:43 -05:00
Author
Owner
Copy link

@Vagelis1608 commented on GitHub (Jun 23, 2025):

I would like to point out that then there would be no way to set it on a headless installation, like mine.

Set a better password.

@Vagelis1608 commented on GitHub (Jun 23, 2025): I would like to point out that then there would be no way to set it on a headless installation, like mine. Set a better password.
deekerman commented 2026-02-22 03:34:45 -05:00
Author
Owner
Copy link

@majora2007 commented on GitHub (Jun 24, 2025):

Headless is a valid constraint. I still believe that this is a pretty large security issue. Perhaps this could be configured via a settings for advanced users to allow setting these fields.

@majora2007 commented on GitHub (Jun 24, 2025): Headless is a valid constraint. I still believe that this is a pretty large security issue. Perhaps this could be configured via a settings for advanced users to allow setting these fields.
deekerman commented 2026-02-22 03:34:45 -05:00
Author
Owner
Copy link

@beigexperience commented on GitHub (Jun 24, 2025):

What if there is an env var that you would need to set through the container orchestration or whatever is launching this if not in a container that would allow this function to be settable via the web ui?

@beigexperience commented on GitHub (Jun 24, 2025): What if there is an env var that you would need to set through the container orchestration or whatever is launching this if not in a container that would allow this function to be settable via the web ui?
deekerman commented 2026-02-22 03:34:45 -05:00
Author
Owner
Copy link

@glassez commented on GitHub (Jun 25, 2025):

What if there is an env var that you would need to set through the container orchestration or whatever is launching this if not in a container that would allow this function to be settable via the web ui?

In this case, would it make sense to set the "run external program" value itself through an environment variable, completely prohibiting doing it through the WebAPI?

@glassez commented on GitHub (Jun 25, 2025): > What if there is an env var that you would need to set through the container orchestration or whatever is launching this if not in a container that would allow this function to be settable via the web ui? In this case, would it make sense to set the "run external program" value itself through an environment variable, completely prohibiting doing it through the WebAPI?
deekerman commented 2026-02-22 03:34:45 -05:00
Author
Owner
Copy link

@sledgehammer999 commented on GitHub (Jun 25, 2025):

Keep in mind that:

  1. WebUI isn't enabled by default. EDIT: True only for GUI builds.
  2. When enabled, WebUI access requires authentication by default
  3. Until user explicitly sets their own password qbt generates a random password each time the client starts.

The above limit the exploitability of a running client.

Is it worth it to hide some dangerous APIs under an explicit cmdline/env var option? Maybe. If someone wants to implement it, IMO, we shouldn't reject it.
If implemented, then I suggest: For the current series the default is to continue allowing the API but displaying a future deprecation notice both in the log and in the relevant field in the preferences UI. In the next series, the default will be to restrict these APIs and require the presence of this cmdline/env.

In this case, would it make sense to set the "run external program" value itself through an environment variable, completely prohibiting doing it through the WebAPI?

Probably a valid approach too.

@sledgehammer999 commented on GitHub (Jun 25, 2025): Keep in mind that: 1. WebUI isn't enabled by default. EDIT: True only for GUI builds. 2. When enabled, WebUI access requires authentication by default 3. Until user explicitly sets their own password qbt generates a random password **each time** the client starts. The above limit the exploitability of a running client. Is it worth it to hide some dangerous APIs under an explicit cmdline/env var option? Maybe. If someone wants to implement it, IMO, we shouldn't reject it. If implemented, then I suggest: For the current series the default is to continue allowing the API but displaying a future deprecation notice both in the log and in the relevant field in the preferences UI. In the next series, the default will be to restrict these APIs and require the presence of this cmdline/env. >In this case, would it make sense to set the "run external program" value itself through an environment variable, completely prohibiting doing it through the WebAPI? Probably a valid approach too.
deekerman commented 2026-02-22 03:34:45 -05:00
Author
Owner
Copy link

@glassez commented on GitHub (Jun 25, 2025):

  1. WebUI isn't enabled by default

This is not true for headless installations which are more often used via WebUI.

@glassez commented on GitHub (Jun 25, 2025): > 1. WebUI isn't enabled by default This is not true for headless installations which are more often used via WebUI.
deekerman commented 2026-02-22 03:34:45 -05:00
Author
Owner
Copy link

@HanabishiRecca commented on GitHub (Jun 26, 2025):

In this case, would it make sense to set the "run external program" value itself through an environment variable, completely prohibiting doing it through the WebAPI?

I always told that. Ability to run arbitrary code via remote access is a notoriously dangerous practice. Related: #20932
No matter how strong your passwords are. One random auth exploit is all it takes.

People should only be able to set that via local GUI, by editing config manually, or by other external means (CLI flags, env variables etc.).

@HanabishiRecca commented on GitHub (Jun 26, 2025): > In this case, would it make sense to set the "run external program" value itself through an environment variable, completely prohibiting doing it through the WebAPI? I always told that. Ability to run arbitrary code via remote access is a notoriously dangerous practice. Related: #20932 No matter how strong your passwords are. One random auth exploit is all it takes. People should only be able to set that via local GUI, by editing config manually, or by other external means (CLI flags, env variables etc.).
deekerman commented 2026-02-22 03:34:45 -05:00
Author
Owner
Copy link

@Vagelis1608 commented on GitHub (Jun 26, 2025):

CLI flags or config edits would work, yes.
Basically, disable setting it from the WebUI but still have a way to set it on headless installations, where the GUI isnt available.

@Vagelis1608 commented on GitHub (Jun 26, 2025): CLI flags or config edits would work, yes. Basically, disable setting it from the WebUI but still have a way to set it on headless installations, where the GUI isnt available.
deekerman commented 2026-02-22 03:34:45 -05:00
Author
Owner
Copy link

@majora2007 commented on GitHub (Jul 8, 2025):

Any consensus on this? I do believe using a config or system environment to enable this, and leaving disabled via webui, is the best path forward.

@majora2007 commented on GitHub (Jul 8, 2025): Any consensus on this? I do believe using a config or system environment to enable this, and leaving disabled via webui, is the best path forward.
deekerman commented 2026-02-22 03:34:45 -05:00
Author
Owner
Copy link

@HanabishiRecca commented on GitHub (Jul 8, 2025):

Well, users always were able to edit the config manually.
The question is: should we simply remove it now, or some additional ways needed first?

@HanabishiRecca commented on GitHub (Jul 8, 2025): Well, users always were able to edit the config manually. The question is: should we simply remove it now, or some additional ways needed first?
deekerman commented 2026-02-22 03:34:45 -05:00
Author
Owner
Copy link

@beigexperience commented on GitHub (Jul 9, 2025):

I think warnings in the gui and logs for a few versions should be fine. In some version later have it off by default, You can keep the web bits as they are just grayed out/disabled until an env var/config is set(I'm guessing the env var's name should be plainly spelled out near the disabled checkbox)

@beigexperience commented on GitHub (Jul 9, 2025): I think warnings in the gui and logs for a few versions should be fine. In some version later have it off by default, You can keep the web bits as they are just grayed out/disabled until an env var/config is set(I'm guessing the env var's name should be plainly spelled out near the disabled checkbox)
deekerman commented 2026-02-22 03:34:48 -05:00
Author
Owner
Copy link

@majora2007 commented on GitHub (Sep 18, 2025):

Any update on the team's thoughts on this and a path forward?

@majora2007 commented on GitHub (Sep 18, 2025): Any update on the team's thoughts on this and a path forward?
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
v5_2_x
v5_1_x
debian
v5_0_x
v4_6_x
v4_5_x
v4_4_x
v4_3_x
v4_2_x
v4_1_x
v4_0_x
v3_3_x
v3_2_x
v3_1_x
v3_0_x
search_encoding_windows
v2_9_x
release-5.1.4
release-5.1.3
release-5.1.2
release-5.1.1
release-5.1.0
release-5.0.5
release-5.0.4
release-5.1.0rc1
release-5.1.0beta1
release-5.0.3
release-5.0.2
release-5.0.1
release-5.0.0
release-4.6.7
release-5.0.0rc1
release-4.6.6
release-4.6.5
release-4.6.4
release-5.0.0beta1
release-4.6.3
release-4.6.2
release-4.6.1
release-4.6.0
release-4.6.0rc2
release-4.5.5
release-4.6.0rc1
release-4.6.0beta1
release-4.5.4
release-4.6.0alpha1
release-4.5.3
release-4.5.2
release-4.5.1
release-4.5.0
release-4.5.0beta1
release-4.4.5
release-4.4.4
release-4.4.3.1
release-4.4.3
release-4.4.2
release-4.4.1
release-4.4.0
release-4.3.9
release-4.4.0rc1
release-4.3.8
release-4.4.0beta3
release-4.3.7
release-4.4.0beta2
release-4.4.0beta1
release-4.3.6
release-4.3.5
release-4.3.4.1
release-4.3.4
release-4.3.3
release-4.3.2
release-4.3.1
release-4.3.0.1
release-4.3.0
release-4.2.5
release-4.2.4
release-4.2.3
release-4.2.2
release-4.2.1
release-4.2.0
release-4.1.9.1
release-4.1.9
release-4.1.8
release-4.1.7
release-4.1.6
release-4.1.5
release-4.1.4
release-4.1.3
release-4.1.2
release-4.1.1
release-4.1.0
release-4.0.4
release-4.0.3
release-4.0.2
release-4.0.1
release-4.0.0
release-3.3.16
release-3.3.15
release-3.3.14
release-3.3.13
release-3.3.12
release-3.3.11
release-3.3.10
release-3.3.9
release-3.3.8
release-3.3.7
release-3.3.6
release-3.3.5
release-3.3.4
release-3.3.3
release-3.3.2
release-3.3.1
release-3.3.0
release-3.2.5
release-3.2.4
release-3.2.3
release-3.2.2
release-3.2.1
release-3.2.0
release-3.1.12
release-3.1.11
release-3.1.10
release-3.1.9.2
release-3.1.9.1
release-3.1.9
release-3.1.8
release-3.1.7
release-3.1.6
release-3.1.5
release-3.1.4
release-3.1.3
release-3.1.2
release-3.1.1
release-3.1.0
release-3.0.11
release-3.0.10
release-3.0.9
release-3.0.8
release-3.0.7
release-3.0.6
release-3.0.5
release-3.0.4
release-3.0.3
release-3.0.2
release-3.0.1
release-3.0.0
release-2.9.11
release-2.9.10
release-2.9.9
release-2.9.8
release-2.9.7
release-2.9.6
release-2.9.5
release-2.9.4
release-2.9.3
release-2.9.0
release-2.8.5
release-2.8.4
release-2.8.3
release-2.8.2
release-2.7.1
release-2.7.0
release-2.6.9
release-2.6.8
release-2.6.7
release-2.6.5
release-2.6.4
release-2.6.3
release-2.6.2
release-2.6.1
release-2.6.0
release-2.5.5
release-2.5.4
release-2.5.3
release-2.5.2
release-2.5.0
release-2.5.0rc1
release-2.4.11
release-2.5.0beta6
release-2.5.0beta5
release-2.5.0beta3
release-2.4.10
release-2.4.8
release-2.5.0beta2
release-2.5.0beta1
release-2.4.6
release-2.4.4
release-2.4.2
release-2.4.0
release-2.4.0rc3
release-2.4.0rc1
release-2.4.0beta3
release-2.4.0beta1
release-2.3.1
release-2.3.0
release-2.3.0rc6
release-2.2.11
release-2.3.0rc5
release-2.2.10
release-2.2.9
release-2.2.8
release-2.2.6
release-2.2.5
release-2.2.3
release-2.2.2
release-2.2.1
release-2.2.0
release-2.1.6
release-2.1.4
release-2.1.2
release-2.1.1
release-2.1.0
release-2.0.7
release-2.0.6
release-2.0.5
release-2.0.3
release-2.0.2
release-2.0.0
release-2.0.0rc6
release-2.0.0rc2
release-1.5.6
release-1.5.4
release-1.5.3
release-1.5.0
release-1.5.0rc5
release-1.5.0rc4
release-1.5.0rc3
release-1.5.0rc1
release-1.5.0beta4
release-1.5.0beta3
release-1.5.0beta2
release-1.5.0beta1
release-1.4.1
release-1.4.0
release-1.4.0rc2
release-1.4.0rc1
release-1.3.5
release-1.4.0beta3
release-1.3.4
release-1.3.3
release-1.3.1
release-1.3.0
release-1.2.1
release-1.2.0rc1
release-1.2.0beta6
release-1.1.4
release-1.2.0beta5
release-1.1.3
release-1.2.0beta3
release-1.1.2
release-1.2.0beta2
release-1.1.1
release-1.2.0beta1
release-1.1.0
release-1.1.0rc2
release-1.1.0rc1
release-1.1.0beta3
release-1.1.0beta2
release-1.0.0
release-1.0.0rc11
release-1.0.0rc10
release-1.0.0rc9
release-1.0.0rc8
release-1.0.0rc7
release-1.0.0rc6
release-1.0.0rc5
release-1.0.0rc4
release-1.0.0rc3
release-0.9.3
release-0.9.2
Labels
Clear labels   
Accessibility

   
AppImage

   
Bounty

   
Build system

   
CI

   
Can't reproduce

   
Code cleanup

   
Confirmed bug

   
Confirmed bug

   
Core

   
Crash

   
Data loss

   
Discussion

   
Docker

   
Documentation

   
Duplicate

   
Feature

   
Feature request

   
Feature request

   
Feature request

   
Filters

   
Flatpak

   
GUI

   
Has workaround

   
I2P

   
Invalid

   
Libtorrent

   
Look and feel

   
Meta

   
NSIS

   
Network

   
Not an issue

   
OS: *BSD

   
OS: Linux

   
OS: Windows

   
OS: macOS

   
PPA

   
Performance

   
Project management

   
Proxy/VPN

   
Qt bugs

   
Qt6 compat

   
RSS

   
Search engine

   
Security

   
Temp folder

   
Themes

   
Translations

   
Triggers

   
Waiting diagnosis

   
Waiting info

   
Waiting upstream

   
Waiting web implementation

   
Watched folders

   
WebAPI

   
WebUI

   
autoCloseOldIssue
No labels
Accessibility
AppImage
Bounty
Build system
CI
Can't reproduce
Code cleanup
Confirmed bug
Confirmed bug
Core
Crash
Data loss
Discussion
Docker
Documentation
Duplicate
Feature
Feature request
Feature request
Feature request
Filters
Flatpak
GUI
Has workaround
I2P
Invalid
Libtorrent
Look and feel
Meta
NSIS
Network
Not an issue
OS: *BSD
OS: Linux
OS: Windows
OS: macOS
PPA
Performance
Project management
Proxy/VPN
Qt bugs
Qt6 compat
RSS
Search engine
Security
Temp folder
Themes
Translations
Triggers
Waiting diagnosis
Waiting info
Waiting upstream
Waiting web implementation
Watched folders
WebAPI
WebUI
autoCloseOldIssue
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/qBittorrent#16974
No description provided.