Security: Remove unsafe PowerShell fallback in WSL

Author: RinZ27

msal/oauth2cli/authcode.py

@@ -76,15 +76,26 @@ def _browse(auth_uri, browser_name=None):  # throws ImportError, webbrowser.Erro
 
     # In WSL which doesn't have www-browser, try launching browser with PowerShell
     if not browser_opened and is_wsl():
-        try:
-            import subprocess
-            # https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_powershell_exe
-            # Ampersand (&) should be quoted
-            exit_code = subprocess.call(
-                ['powershell.exe', '-NoProfile', '-Command', 'Start-Process "{}"'.format(auth_uri)])
+        import subprocess
+        try:  # Try wslview first, which is the recommended way on WSL
+            # https://github.com/wslutilities/wslu
+            exit_code = subprocess.call(['wslview', auth_uri])
             browser_opened = exit_code == 0
-        except FileNotFoundError:  # WSL might be too old
+        except FileNotFoundError:  # wslview might not be installed
             pass
+        if not browser_opened:
+            try:
+                # Fallback to powershell.exe, using -EncodedCommand to prevent injection.
+                # https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_powershell_exe
+                import base64
+                # PowerShell expects UTF-16LE for EncodedCommand
+                cmd = u'Start-Process "{}"'.format(auth_uri.replace('"', '`"'))
+                encoded_cmd = base64.b64encode(cmd.encode('utf-16-le')).decode('ascii')
+                exit_code = subprocess.call(
+                    ['powershell.exe', '-NoProfile', '-NonInteractive', '-EncodedCommand', encoded_cmd])
+                browser_opened = exit_code == 0
+            except (FileNotFoundError, ImportError):  # WSL might be too old
+                pass
     return browser_opened