diff options
author | Florian Bruhin <git@the-compiler.org> | 2018-07-09 23:38:47 +0200 |
---|---|---|
committer | Florian Bruhin <git@the-compiler.org> | 2018-07-11 17:06:40 +0200 |
commit | ff686ff7f395d83e5ac48507ecfae0b0e97a61ef (patch) | |
tree | 10465c0cea2939fe9458254968fda49a3e004132 /qutebrowser/browser/webengine/interceptor.py | |
parent | 8486efa940d8349176237dec47a5fbd8694e0375 (diff) | |
download | qutebrowser-ff686ff7f395d83e5ac48507ecfae0b0e97a61ef.tar.gz qutebrowser-ff686ff7f395d83e5ac48507ecfae0b0e97a61ef.zip |
CVE-2018-10895: Fix CSRF issues with qute://settings/set URLv1.1.x
In ffc29ee043ae7336d9b9dcc029a05bf7a3f994e8 (part of v1.0.0), a
qute://settings/set URL was added to change settings.
Contrary to what I apparently believed at the time, it *is* possible for
websites to access `qute://*` URLs (i.e., neither QtWebKit nor QtWebEngine
prohibit such requests, other than the usual cross-origin rules).
In other words, this means a website can e.g. have an `<img>` tag which loads a
`qute://settings/set` URL, which then sets `editor.command` to a bash script.
The result of that is arbitrary code execution.
Fixes #4060
See #2332
(cherry picked from commit 43e58ac865ff862c2008c510fc5f7627e10b4660)
Diffstat (limited to 'qutebrowser/browser/webengine/interceptor.py')
-rw-r--r-- | qutebrowser/browser/webengine/interceptor.py | 18 |
1 files changed, 17 insertions, 1 deletions
diff --git a/qutebrowser/browser/webengine/interceptor.py b/qutebrowser/browser/webengine/interceptor.py index e34718791..df5f32a9d 100644 --- a/qutebrowser/browser/webengine/interceptor.py +++ b/qutebrowser/browser/webengine/interceptor.py @@ -19,7 +19,9 @@ """A request interceptor taking care of adblocking and custom headers.""" -from PyQt5.QtWebEngineCore import QWebEngineUrlRequestInterceptor +from PyQt5.QtCore import QUrl +from PyQt5.QtWebEngineCore import (QWebEngineUrlRequestInterceptor, + QWebEngineUrlRequestInfo) from qutebrowser.config import config from qutebrowser.browser import shared @@ -54,6 +56,20 @@ class RequestInterceptor(QWebEngineUrlRequestInterceptor): Args: info: QWebEngineUrlRequestInfo &info """ + url = info.requestUrl() + firstparty = info.firstPartyUrl() + + if ((url.scheme(), url.host(), url.path()) == + ('qute', 'settings', '/set')): + if (firstparty != QUrl('qute://settings/') or + info.resourceType() != + QWebEngineUrlRequestInfo.ResourceTypeXhr): + log.webview.warning("Blocking malicious request from {} to {}" + .format(firstparty.toDisplayString(), + url.toDisplayString())) + info.block(True) + return + # FIXME:qtwebengine only block ads for NavigationTypeOther? if self._host_blocker.is_blocked(info.requestUrl()): log.webview.info("Request to {} blocked by host blocker.".format( |