diff --git a/kitty/remote_control.py b/kitty/remote_control.py index 0a0c9ae3f..23fe3aad1 100644 --- a/kitty/remote_control.py +++ b/kitty/remote_control.py @@ -140,6 +140,13 @@ def is_cmd_allowed(pcmd: Dict[str, Any], window: Optional['Window'], from_socket sid = pcmd.get('stream_id', '') if sid and active_streams.get(sid, '') == pcmd['cmd']: return True + if 'cancel_async' in pcmd and pcmd.get('async_id'): + # we allow these without authentication as they are sent on error + # conditions and we cant have users prompted for these. The worst side + # effect of a malicious cancel_async request is that it can prevent + # another async request from getting a result, if it knows the async_id + # of that request. + return True pw = pcmd.get('password', '') if not pw: auth_items = get_options().remote_control_password.get('')