starred/qBittorrent

Fork 0

mirror of https://github.com/qbittorrent/qBittorrent.git synced 2026-03-02 22:57:32 -05:00

clicking "Search Engine" should not download/execute remote code #17028

New issue

Open

opened 2026-02-22 03:36:59 -05:00 by deekerman · 4 comments

deekerman commented

2026-02-22 03:36:59 -05:00

Owner

Originally created by @philcerf on GitHub (Jul 17, 2025).

qBittorrent & operating system versions

qBittorrent: 5.1.0
Operating system: Debian unstable amd64
Qt: 6.8.2
libtorrent-rasterbar: 2.0.11

What is the problem?

Hey.

"Forwarded" from Debuan bug #1107894.

I've recently noted, that merely by clicking on "Search Engine" (without actually installing a search plugin) the following files get created:

.local/share/qBittorrent/nova3/
├── engines
│   └── __init__.py
├── __init__.py
├── helpers.py
├── nova2.py
├── nova2dl.py
├── novaprinter.py
└── socks.py

The Debian binary package does not include these files (as package files), but the Debian source package does and it looks as if they might be compiled into the program executable as resource file.
Also, even when one's offline, these files get created which might indicate they're not downloaded from he web.

However, the Debian maintainer insists they are, and I found some code portions in src/base/search/searchpluginmanager.cpp for which I'm not sure if they may actually do.

Thus question: are these files ever downloaded/upgraded from remote (i.e. the web) or not?

Cause if so, it might also be considered a security risk (even if it's downloaded via HTTPs, certificates are rather easy to forge for a skilled attacker).

Thanks,
Philippe.

Steps to reproduce

make sure there's no ~/.local/share/qBittorrent/nova3/
start qbittorrent
click on Search Engine, but don't actually install any search engine
there will now be some code in ~/.local/share/qBittorrent/nova3/

Additional context

No response

Log(s) & preferences file(s)

N/A

Originally created by @philcerf on GitHub (Jul 17, 2025). ### qBittorrent & operating system versions qBittorrent: 5.1.0 Operating system: Debian unstable amd64 Qt: 6.8.2 libtorrent-rasterbar: 2.0.11 ### What is the problem? Hey. "Forwarded" from [Debuan bug #1107894](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1107894). I've recently noted, that merely by clicking on "Search Engine" (**without** actually installing a search plugin) the following files get created: ``` .local/share/qBittorrent/nova3/ ├── engines │ └── __init__.py ├── __init__.py ├── helpers.py ├── nova2.py ├── nova2dl.py ├── novaprinter.py └── socks.py ``` The Debian binary package does not include these files (as package files), but the Debian source package does and it looks as if they might be compiled into the program executable as resource file. Also, even when one's offline, these files get created which might indicate they're *not* downloaded from he web. However, the Debian maintainer insists they are, and I found some code portions in `src/base/search/searchpluginmanager.cpp` for which I'm not sure if they may actually do. Thus question: are these files ever downloaded/upgraded from remote (i.e. the web) or not? Cause if so, it might also be considered a security risk (even if it's downloaded via HTTPs, certificates are rather easy to forge for a skilled attacker). Thanks, Philippe. ### Steps to reproduce 1. make sure there's no `~/.local/share/qBittorrent/nova3/` 2. start `qbittorrent` 3. click on `Search Engine`, but don't actually install any search engine 4. there will now be some code in `~/.local/share/qBittorrent/nova3/` ### Additional context _No response_ ### Log(s) & preferences file(s) N/A

deekerman added the

Search engine

label

2026-02-22 03:36:59 -05:00

deekerman commented

2026-02-22 03:37:03 -05:00

Author

Owner

@vafada commented on GitHub (Jul 18, 2025):

are these files ever downloaded/upgraded from remote (i.e. the web) or not?

I dont think so

I believe, those files are bundled in the binary. and you are correct, src/base/search/searchpluginmanager.cpp just extracts them, see:

github.com/qbittorrent/qBittorrent@7c443b0c3b/src/base/search/searchpluginmanager.cpp (L525-L543)

this is the bundle file:

github.com/qbittorrent/qBittorrent@7c443b0c3b/src/searchengine/searchengine.qrc

and the source code for each python file:

github.com/qbittorrent/qBittorrent@7c443b0c3b/src/searchengine/nova3

@vafada commented on GitHub (Jul 18, 2025): `are these files ever downloaded/upgraded from remote (i.e. the web) or not?` I dont think so I believe, those files are bundled in the binary. and you are correct, `src/base/search/searchpluginmanager.cpp` just extracts them, see: https://github.com/qbittorrent/qBittorrent/blob/7c443b0c3bc6bb4ac52c73bdd5b495268fbcef8f/src/base/search/searchpluginmanager.cpp#L525-L543 this is the bundle file: https://github.com/qbittorrent/qBittorrent/blob/7c443b0c3bc6bb4ac52c73bdd5b495268fbcef8f/src/searchengine/searchengine.qrc and the source code for each python file: https://github.com/qbittorrent/qBittorrent/blob/7c443b0c3bc6bb4ac52c73bdd5b495268fbcef8f/src/searchengine/nova3

deekerman commented

2026-02-22 03:37:05 -05:00

Author

Owner

@philcerf commented on GitHub (Jul 19, 2025):

Well I am a bit confused by that:
github.com/qbittorrent/qBittorrent@7c443b0c3b/src/base/search/searchpluginmanager.cpp (L89-L104)

which gives an online location https://searchplugins.qbittorrent.org/nova3/engines/ seems to do some (network) connections before if calls updateNova.

Anyway... thanks for your reply :-)

@philcerf commented on GitHub (Jul 19, 2025): Well I am a bit confused by that: https://github.com/qbittorrent/qBittorrent/blob/7c443b0c3bc6bb4ac52c73bdd5b495268fbcef8f/src/base/search/searchpluginmanager.cpp#L89-L104 which gives an online location `https://searchplugins.qbittorrent.org/nova3/engines/` seems to do some (network) connections before if calls `updateNova`. Anyway... thanks for your reply :-)

deekerman commented

2026-02-22 03:37:06 -05:00

Author

Owner

@vafada commented on GitHub (Jul 19, 2025):

that connect is not a network "connection".. that Qt's signal-slot mechanism

https://doc.qt.io/qt-6/signalsandslots.html

the app does a network connection to https://searchplugins.qbittorrent.org/nova3/engines/

but that requires user intervention

when you click check for updates in the search plugins modal:

https://raw.githubusercontent.com/qbittorrent/search-plugins/master/nova3/engines/versions.txt

when you install or update a plugin:

https://github.com/qbittorrent/search-plugins/tree/master/nova3/engines

see the source code for the usage of m_updateUrl

@vafada commented on GitHub (Jul 19, 2025): that `connect` is not a network "connection".. that `Qt's signal-slot mechanism` https://doc.qt.io/qt-6/signalsandslots.html the app does a network connection to `https://searchplugins.qbittorrent.org/nova3/engines/` but that requires user intervention 1. when you click `check for updates` in the `search plugins` modal: https://raw.githubusercontent.com/qbittorrent/search-plugins/master/nova3/engines/versions.txt 2. when you install or update a plugin: https://github.com/qbittorrent/search-plugins/tree/master/nova3/engines see the source code for the usage of `m_updateUrl`

deekerman commented

2026-02-22 03:37:06 -05:00

Author

Owner

@philcerf commented on GitHub (Jul 20, 2025):

Well I guess than it's indeed safe as it is and this issue can be closed.

What might perhaps be added is something like a popup, when people are actually about to download/install plugins from remote.

Thanks :-)

@philcerf commented on GitHub (Jul 20, 2025): Well I guess than it's indeed safe as it is and this issue can be closed. What might perhaps be added is something like a popup, when people are actually about to download/install plugins from remote. Thanks :-)