From 7325921070226b3ba5eeca2d61451cac475619d1 Mon Sep 17 00:00:00 2001 From: Kovid Goyal Date: Thu, 1 Sep 2022 11:32:15 +0530 Subject: [PATCH] Allow cancel async commands without auth --- kitty/remote_control.py | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/kitty/remote_control.py b/kitty/remote_control.py index 0a0c9ae3f..23fe3aad1 100644 --- a/kitty/remote_control.py +++ b/kitty/remote_control.py @@ -140,6 +140,13 @@ def is_cmd_allowed(pcmd: Dict[str, Any], window: Optional['Window'], from_socket sid = pcmd.get('stream_id', '') if sid and active_streams.get(sid, '') == pcmd['cmd']: return True + if 'cancel_async' in pcmd and pcmd.get('async_id'): + # we allow these without authentication as they are sent on error + # conditions and we cant have users prompted for these. The worst side + # effect of a malicious cancel_async request is that it can prevent + # another async request from getting a result, if it knows the async_id + # of that request. + return True pw = pcmd.get('password', '') if not pw: auth_items = get_options().remote_control_password.get('')