From ed5292d9b4882a64cdc66918295db90c19db09c7 Mon Sep 17 00:00:00 2001
From: Michael Lazar <lazar.michael22@gmail.com>
Date: Sun, 11 Sep 2016 19:52:56 -0700
Subject: [PATCH 1/2] Secure urls before sending to Popen.

---
 rtv/terminal.py | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/rtv/terminal.py b/rtv/terminal.py
index 54222fb..d5033ed 100644
--- a/rtv/terminal.py
+++ b/rtv/terminal.py
@@ -15,6 +15,7 @@ from contextlib import contextmanager
 from tempfile import NamedTemporaryFile
 
 import six
+from six.moves.urllib.parse import quote
 from kitchen.text.display import textual_width_chop
 from mailcap_fix import mailcap
 
@@ -468,7 +469,12 @@ class Terminal(object):
         """
 
         if self.display:
-            command = "import webbrowser; webbrowser.open_new_tab('%s')" % url
+            # Note that we need to sanitize the url before inserting it into
+            # the python code to prevent injection attacks.
+            command = (
+                "import webbrowser\n"
+                "from six.moves.urllib.parse import unquote\n"
+                "webbrowser.open_new_tab(unquote('%s'))" % quote(url))
             args = [sys.executable, '-c', command]
             with self.loader('Opening page in a new window'), \
                     open(os.devnull, 'ab+', 0) as null:

From ae3a06507ea9e00640c70092f6594ba716153597 Mon Sep 17 00:00:00 2001
From: Michael Lazar <lazar.michael22@gmail.com>
Date: Sun, 11 Sep 2016 19:59:04 -0700
Subject: [PATCH 2/2] Disable pylint import error.

---
 rtv/terminal.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/rtv/terminal.py b/rtv/terminal.py
index d5033ed..4f8a92d 100644
--- a/rtv/terminal.py
+++ b/rtv/terminal.py
@@ -15,6 +15,7 @@ from contextlib import contextmanager
 from tempfile import NamedTemporaryFile
 
 import six
+#pylint: disable=import-error
 from six.moves.urllib.parse import quote
 from kitchen.text.display import textual_width_chop
 from mailcap_fix import mailcap