fix: prevent command injection in example URL opening by maxisbey · Pull Request #2082 · modelcontextprotocol/python-sdk
marked this pull request as ready for review
Replace platform-specific subprocess calls with webbrowser.open() and add URL scheme validation to the elicitation example client. The previous Windows code path used shell=True with subprocess, which allowed command injection via crafted URLs containing shell metacharacters (e.g., & as a command separator in cmd.exe). Changes: - Remove subprocess/sys imports, use webbrowser.open() for all platforms - Add URL scheme allowlist (http/https only) in handle_url_elicitation, validated before prompting the user for consent - Return ElicitResult(action='decline') for disallowed schemes instead of silently continuing with action='accept' - Simplify open_browser() to a pure browser-opening helper - Align with the safe pattern already used in the OAuth example client
maxisbey
deleted the
fix/example-command-injection
branch
maxisbey added a commit that referenced this pull request
Feb 18, 2026
Backport of #2082 to v1.x. Replace platform-specific subprocess calls with webbrowser.open() and add URL scheme validation (http/https allowlist) to block dangerous protocol handlers in the URL elicitation example client.
This was referenced
Feb 18, 2026This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters