summaryrefslogtreecommitdiff
path: root/qutebrowser/browser/webengine/interceptor.py
diff options
context:
space:
mode:
authorFlorian Bruhin <git@the-compiler.org>2018-07-09 23:38:47 +0200
committerFlorian Bruhin <git@the-compiler.org>2018-07-11 17:07:18 +0200
commitc3361c31b370140f323e481dd455450b1e74c099 (patch)
treec6c93cd74b78610a2610789c6ce907b7e39c5056 /qutebrowser/browser/webengine/interceptor.py
parent404c276774e689032b0e2c6381bb308c182778de (diff)
downloadqutebrowser-v1.2.x.tar.gz
qutebrowser-v1.2.x.zip
CVE-2018-10895: Fix CSRF issues with qute://settings/set URLv1.2.x
In ffc29ee043ae7336d9b9dcc029a05bf7a3f994e8 (part of v1.0.0), a qute://settings/set URL was added to change settings. Contrary to what I apparently believed at the time, it *is* possible for websites to access `qute://*` URLs (i.e., neither QtWebKit nor QtWebEngine prohibit such requests, other than the usual cross-origin rules). In other words, this means a website can e.g. have an `<img>` tag which loads a `qute://settings/set` URL, which then sets `editor.command` to a bash script. The result of that is arbitrary code execution. Fixes #4060 See #2332 (cherry picked from commit 43e58ac865ff862c2008c510fc5f7627e10b4660)
Diffstat (limited to 'qutebrowser/browser/webengine/interceptor.py')
-rw-r--r--qutebrowser/browser/webengine/interceptor.py18
1 files changed, 17 insertions, 1 deletions
diff --git a/qutebrowser/browser/webengine/interceptor.py b/qutebrowser/browser/webengine/interceptor.py
index 480e8ee85..80563f172 100644
--- a/qutebrowser/browser/webengine/interceptor.py
+++ b/qutebrowser/browser/webengine/interceptor.py
@@ -19,7 +19,9 @@
"""A request interceptor taking care of adblocking and custom headers."""
-from PyQt5.QtWebEngineCore import QWebEngineUrlRequestInterceptor
+from PyQt5.QtCore import QUrl
+from PyQt5.QtWebEngineCore import (QWebEngineUrlRequestInterceptor,
+ QWebEngineUrlRequestInfo)
from qutebrowser.config import config
from qutebrowser.browser import shared
@@ -54,6 +56,20 @@ class RequestInterceptor(QWebEngineUrlRequestInterceptor):
Args:
info: QWebEngineUrlRequestInfo &info
"""
+ url = info.requestUrl()
+ firstparty = info.firstPartyUrl()
+
+ if ((url.scheme(), url.host(), url.path()) ==
+ ('qute', 'settings', '/set')):
+ if (firstparty != QUrl('qute://settings/') or
+ info.resourceType() !=
+ QWebEngineUrlRequestInfo.ResourceTypeXhr):
+ log.webview.warning("Blocking malicious request from {} to {}"
+ .format(firstparty.toDisplayString(),
+ url.toDisplayString()))
+ info.block(True)
+ return
+
# FIXME:qtwebengine only block ads for NavigationTypeOther?
if self._host_blocker.is_blocked(info.requestUrl()):
log.webview.info("Request to {} blocked by host blocker.".format(
7apu2bq3rhoylwmucxizk54afw5jyda7pho4j5zdcqpwkufke7zdzwad.onion