diff options
author | Florian Bruhin <git@the-compiler.org> | 2018-07-09 23:38:47 +0200 |
---|---|---|
committer | Florian Bruhin <git@the-compiler.org> | 2018-07-11 17:07:18 +0200 |
commit | c3361c31b370140f323e481dd455450b1e74c099 (patch) | |
tree | c6c93cd74b78610a2610789c6ce907b7e39c5056 /qutebrowser/browser/webengine/webenginequtescheme.py | |
parent | 404c276774e689032b0e2c6381bb308c182778de (diff) | |
download | qutebrowser-v1.2.x.tar.gz qutebrowser-v1.2.x.zip |
CVE-2018-10895: Fix CSRF issues with qute://settings/set URLv1.2.x
In ffc29ee043ae7336d9b9dcc029a05bf7a3f994e8 (part of v1.0.0), a
qute://settings/set URL was added to change settings.
Contrary to what I apparently believed at the time, it *is* possible for
websites to access `qute://*` URLs (i.e., neither QtWebKit nor QtWebEngine
prohibit such requests, other than the usual cross-origin rules).
In other words, this means a website can e.g. have an `<img>` tag which loads a
`qute://settings/set` URL, which then sets `editor.command` to a bash script.
The result of that is arbitrary code execution.
Fixes #4060
See #2332
(cherry picked from commit 43e58ac865ff862c2008c510fc5f7627e10b4660)
Diffstat (limited to 'qutebrowser/browser/webengine/webenginequtescheme.py')
-rw-r--r-- | qutebrowser/browser/webengine/webenginequtescheme.py | 23 |
1 files changed, 22 insertions, 1 deletions
diff --git a/qutebrowser/browser/webengine/webenginequtescheme.py b/qutebrowser/browser/webengine/webenginequtescheme.py index ac583a671..04a89e2e2 100644 --- a/qutebrowser/browser/webengine/webenginequtescheme.py +++ b/qutebrowser/browser/webengine/webenginequtescheme.py @@ -45,8 +45,29 @@ class QuteSchemeHandler(QWebEngineUrlSchemeHandler): job: QWebEngineUrlRequestJob """ url = job.requestUrl() - assert job.requestMethod() == b'GET' + + # Only the browser itself or qute:// pages should access any of those + # URLs. + # The request interceptor further locks down qute://settings/set. + try: + initiator = job.initiator() + except AttributeError: + # Added in Qt 5.11 + pass + else: + if initiator.isValid() and initiator.scheme() != 'qute': + log.misc.warning("Blocking malicious request from {} to {}" + .format(initiator.toDisplayString(), + url.toDisplayString())) + job.fail(QWebEngineUrlRequestJob.RequestDenied) + return + + if job.requestMethod() != b'GET': + job.fail(QWebEngineUrlRequestJob.RequestDenied) + return + assert url.scheme() == 'qute' + log.misc.debug("Got request for {}".format(url.toDisplayString())) try: mimetype, data = qutescheme.data_for_url(url) |