diff options
author | Florian Bruhin <me@the-compiler.org> | 2020-05-02 18:54:05 +0200 |
---|---|---|
committer | Florian Bruhin <me@the-compiler.org> | 2020-05-02 19:23:51 +0200 |
commit | 2281a205c3e70ec20f35ec8fafecee0d5c4f3478 (patch) | |
tree | 3f8dc446585d55c61eee8bb5e29a2a1c9e9032ef | |
parent | b1e142e96dd2a8be8fd802ef4ac83f91f7359c59 (diff) | |
download | qutebrowser-2281a205c3e70ec20f35ec8fafecee0d5c4f3478.tar.gz qutebrowser-2281a205c3e70ec20f35ec8fafecee0d5c4f3478.zip |
Security: Remember hosts with ignored cert errors for load status
Without this change, we only set a flag when a certificate error occurred.
However, when the same certificate error then happens a second time (e.g.
because of a reload or opening the same URL again), we then colored the URL as
success_https (i.e. green) again.
See #5403
(cherry picked from commit 021ab572a319ca3db5907a33a59774f502b3b975)
-rw-r--r-- | qutebrowser/browser/browsertab.py | 16 | ||||
-rw-r--r-- | qutebrowser/browser/webengine/webenginetab.py | 4 | ||||
-rw-r--r-- | qutebrowser/browser/webkit/webkittab.py | 6 |
3 files changed, 17 insertions, 9 deletions
diff --git a/qutebrowser/browser/browsertab.py b/qutebrowser/browser/browsertab.py index d9819e91f..778633c5a 100644 --- a/qutebrowser/browser/browsertab.py +++ b/qutebrowser/browser/browsertab.py @@ -866,6 +866,13 @@ class AbstractTab(QWidget): # arg 1: The exit code. renderer_process_terminated = pyqtSignal(TerminationStatus, int) + # Hosts for which a certificate error happened. Shared between all tabs. + # + # Note that we remember hosts here, without scheme/port: + # QtWebEngine/Chromium also only remembers hostnames, and certificates are + # for a given hostname anyways. + _insecure_hosts = set() # type: typing.Set[str] + def __init__(self, *, win_id: int, private: bool, parent: QWidget = None) -> None: self.is_private = private @@ -883,7 +890,6 @@ class AbstractTab(QWidget): self._layout = miscwidgets.WrapperLayout(self) self._widget = None # type: typing.Optional[QWidget] self._progress = 0 - self._has_ssl_errors = False self._load_status = usertypes.LoadStatus.none self._tab_event_filter = eventfilter.TabEventFilter( self, parent=self) @@ -971,7 +977,6 @@ class AbstractTab(QWidget): @pyqtSlot() def _on_load_started(self) -> None: self._progress = 0 - self._has_ssl_errors = False self.data.viewing_source = False self._set_load_status(usertypes.LoadStatus.loading) self.load_started.emit() @@ -1031,9 +1036,12 @@ class AbstractTab(QWidget): Needs to be called by subclasses to trigger a load status update, e.g. as a response to a loadFinished signal. """ - if ok and not self._has_ssl_errors: + if ok: if self.url().scheme() == 'https': - self._set_load_status(usertypes.LoadStatus.success_https) + if self.url().host() in self._insecure_hosts: + self._set_load_status(usertypes.LoadStatus.warn) + else: + self._set_load_status(usertypes.LoadStatus.success_https) else: self._set_load_status(usertypes.LoadStatus.success) elif ok: diff --git a/qutebrowser/browser/webengine/webenginetab.py b/qutebrowser/browser/webengine/webenginetab.py index 41e879c9a..3960da3bf 100644 --- a/qutebrowser/browser/webengine/webenginetab.py +++ b/qutebrowser/browser/webengine/webenginetab.py @@ -1423,9 +1423,9 @@ class WebEngineTab(browsertab.AbstractTab): @pyqtSlot(certificateerror.CertificateErrorWrapper) def _on_ssl_errors(self, error): - self._has_ssl_errors = True - url = error.url() + self._insecure_hosts.add(url.host()) + log.webview.debug("Certificate error: {}".format(error)) if error.is_overridable(): diff --git a/qutebrowser/browser/webkit/webkittab.py b/qutebrowser/browser/webkit/webkittab.py index 2aa82f0d2..42c91ddc1 100644 --- a/qutebrowser/browser/webkit/webkittab.py +++ b/qutebrowser/browser/webkit/webkittab.py @@ -851,9 +851,9 @@ class WebKitTab(browsertab.AbstractTab): if navigation.is_main_frame: self.settings.update_for_url(navigation.url) - @pyqtSlot() - def _on_ssl_errors(self): - self._has_ssl_errors = True + @pyqtSlot('QNetworkReply*') + def _on_ssl_errors(self, reply): + self._insecure_hosts.add(reply.url().host()) def _connect_signals(self): view = self._widget |