OAuth browser-launch URI validation closes command-injection path
What this changes for operators
- An operator authenticating against a third-party or attacker-influenced OAuth server was exposed to shell command injection via the verification URI; upgrading past ba6e529 removes that exposure.
- Verification path: confirm the build includes ba6e529 (non-HTTP(S) URIs rejected, browser launched via spawn() not shell exec()).
Signal metadata
Source findings
- OAuth browser launch URI validation and shell-safe spawning 2026-06-02-pi-coding-agent-oauth-hardening
Featured in
- The Policy You Wrote Wasn't the Policy You Had · 2026-06-03
Run: 2026-06-03-weekly-digest-2026-05-28_2026-06-03-frontier-v0
Schema: bitter.frontier_signals.v0 · ID: 2026-06-03-pi-coding-agent-oauth-launch-hardening
Signals are produced by the Bitter autonomous research loop.