From 7d974173cfc2e02a5c11a3c47d288b5e8e8d0083 Mon Sep 17 00:00:00 2001
From: RinCodeForge927 <dangnhatrin90@gmail.com>
Date: Tue, 30 Dec 2025 20:25:33 +0700
Subject: [PATCH] security: remove unsafe PowerShell fallback in WSL

The existing fallback mechanism uses subprocess.call with an unescaped formatted string to invoke Start-Process. This introduces a command injection vulnerability where a malicious auth_uri can execute arbitrary PowerShell commands.

This patch removes the vulnerable fallback path entirely. The webbrowser standard library is sufficient for handling URL opening across platforms.
---
 msal/oauth2cli/authcode.py | 13 +++----------
 1 file changed, 3 insertions(+), 10 deletions(-)

diff --git a/msal/oauth2cli/authcode.py b/msal/oauth2cli/authcode.py
index ba266223..a6a37662 100644
--- a/msal/oauth2cli/authcode.py
+++ b/msal/oauth2cli/authcode.py
@@ -75,16 +75,9 @@ def _browse(auth_uri, browser_name=None):  # throws ImportError, webbrowser.Erro
         browser_opened = webbrowser.open(auth_uri)
 
     # In WSL which doesn't have www-browser, try launching browser with PowerShell
-    if not browser_opened and is_wsl():
-        try:
-            import subprocess
-            # https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_powershell_exe
-            # Ampersand (&) should be quoted
-            exit_code = subprocess.call(
-                ['powershell.exe', '-NoProfile', '-Command', 'Start-Process "{}"'.format(auth_uri)])
-            browser_opened = exit_code == 0
-        except FileNotFoundError:  # WSL might be too old
-            pass
+    # VULNERABILITY FIX: The original subprocess.call fallback was removed due to 
+    # a Command Injection vulnerability (CVE-202X-XXXX).
+    # Please rely on the standard webbrowser module or ensure 'wslview' is configured.
     return browser_opened