From 155d8d4dfdf8f5c1bab3c5cc0f4e1be8dd049bd1 Mon Sep 17 00:00:00 2001
From: shortcutme <tamas@zeronet.io>
Date: Mon, 19 Aug 2019 13:42:49 +0200
Subject: [PATCH] Rev4188, Allow only white listed values for open_browser

---
 src/Config.py         | 2 +-
 src/Ui/UiWebsocket.py | 7 ++++++-
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/src/Config.py b/src/Config.py
index 5292cebe..0bded2db 100644
--- a/src/Config.py
+++ b/src/Config.py
@@ -13,7 +13,7 @@ class Config(object):
 
     def __init__(self, argv):
         self.version = "0.7.0"
-        self.rev = 4187
+        self.rev = 4188
         self.argv = argv
         self.action = None
         self.pending_changes = {}
diff --git a/src/Ui/UiWebsocket.py b/src/Ui/UiWebsocket.py
index 77f4ec50..181a306d 100644
--- a/src/Ui/UiWebsocket.py
+++ b/src/Ui/UiWebsocket.py
@@ -1137,9 +1137,14 @@ class UiWebsocket(object):
     def actionConfigSet(self, to, key, value):
         import main
         if key not in config.keys_api_change_allowed:
-            self.response(to, {"error": "Forbidden you cannot set this config key"})
+            self.response(to, {"error": "Forbidden: You cannot set this config key"})
             return
 
+        if key == "open_browser":
+            if value not in ["default_browser", "False"]:
+                self.response(to, {"error": "Forbidden: Invalid value"})
+                return
+
         # Remove empty lines from lists
         if type(value) is list:
             value = [line for line in value if line]