From a0e2a925eec9933b59d92e800c554256472dddee Mon Sep 17 00:00:00 2001
From: John Preston <johnprestonmail@gmail.com>
Date: Mon, 6 May 2019 12:40:04 +0200
Subject: [PATCH] Filter command line arguments passed to Qt.

See https://www.bleepingcomputer.com/news/security/
qt5-based-gui-apps-susceptible-to-remote-code-execution/

This RCE exploit doesn't affect Telegram Desktop directly, because
Telegram Desktop uses statically linked Qt and does not load any
plugins from external shared libraries. But in any case it's better
to control how command line arguments can affect the app behaviour.

For now pass only the first command line part, the executable path.
---
 Telegram/SourceFiles/core/launcher.cpp | 36 +++++++++++++++++++++++++-
 Telegram/SourceFiles/core/sandbox.cpp  |  6 ++---
 2 files changed, 38 insertions(+), 4 deletions(-)

diff --git a/Telegram/SourceFiles/core/launcher.cpp b/Telegram/SourceFiles/core/launcher.cpp
index f1b7d1210c..3efa53ebab 100644
--- a/Telegram/SourceFiles/core/launcher.cpp
+++ b/Telegram/SourceFiles/core/launcher.cpp
@@ -20,6 +20,39 @@ namespace {
 
 uint64 InstallationTag = 0;
 
+class FilteredCommandLineArguments {
+public:
+	FilteredCommandLineArguments(int argc, char **argv);
+
+	int &count();
+	char **values();
+
+private:
+	static constexpr auto kForwardArgumentCount = 1;
+
+	int _count = 0;
+	char *_arguments[kForwardArgumentCount + 1] = { nullptr };
+
+};
+
+FilteredCommandLineArguments::FilteredCommandLineArguments(
+	int argc,
+	char **argv)
+: _count(std::clamp(argc, 0, kForwardArgumentCount)) {
+	// For now just pass only the first argument, the executable path.
+	for (auto i = 0; i != _count; ++i) {
+		_arguments[i] = argv[i];
+	}
+}
+
+int &FilteredCommandLineArguments::count() {
+	return _count;
+}
+
+char **FilteredCommandLineArguments::values() {
+	return _arguments;
+}
+
 QString DebugModeSettingPath() {
 	return cWorkingDir() + qsl("tdata/withdebug");
 }
@@ -440,7 +473,8 @@ void Launcher::processArguments() {
 }
 
 int Launcher::executeApplication() {
-	Sandbox sandbox(this, _argc, _argv);
+	FilteredCommandLineArguments arguments(_argc, _argv);
+	Sandbox sandbox(this, arguments.count(), arguments.values());
 	MainQueueProcessor processor;
 	base::ConcurrentTimerEnvironment environment;
 	return sandbox.start();
diff --git a/Telegram/SourceFiles/core/sandbox.cpp b/Telegram/SourceFiles/core/sandbox.cpp
index 6b8fd9cfae..1cef353478 100644
--- a/Telegram/SourceFiles/core/sandbox.cpp
+++ b/Telegram/SourceFiles/core/sandbox.cpp
@@ -76,9 +76,9 @@ Sandbox::Sandbox(
 	not_null<Core::Launcher*> launcher,
 	int &argc,
 	char **argv)
-	: QApplication(argc, argv)
-	, _mainThreadId(QThread::currentThreadId())
-	, _launcher(launcher) {
+: QApplication(argc, argv)
+, _mainThreadId(QThread::currentThreadId())
+, _launcher(launcher) {
 }
 
 int Sandbox::start() {