summaryrefslogtreecommitdiff
path: root/qutebrowser/browser/webengine/webenginequtescheme.py
diff options
context:
space:
mode:
authorFlorian Bruhin <git@the-compiler.org>2018-07-09 23:38:47 +0200
committerFlorian Bruhin <git@the-compiler.org>2018-07-11 17:07:59 +0200
commitc2ff32d92ba9bf40ff53498ee04a4124d4993c85 (patch)
treeaa8130a54e7ea9b58f2b4192954deff26fd97d12 /qutebrowser/browser/webengine/webenginequtescheme.py
parent718f73be2eb062f4893a463bca34c18feeded251 (diff)
downloadqutebrowser-c2ff32d92ba9bf40ff53498ee04a4124d4993c85.tar.gz
qutebrowser-c2ff32d92ba9bf40ff53498ee04a4124d4993c85.zip
CVE-2018-10895: Fix CSRF issues with qute://settings/set URLv1.3.x
In ffc29ee043ae7336d9b9dcc029a05bf7a3f994e8 (part of v1.0.0), a qute://settings/set URL was added to change settings. Contrary to what I apparently believed at the time, it *is* possible for websites to access `qute://*` URLs (i.e., neither QtWebKit nor QtWebEngine prohibit such requests, other than the usual cross-origin rules). In other words, this means a website can e.g. have an `<img>` tag which loads a `qute://settings/set` URL, which then sets `editor.command` to a bash script. The result of that is arbitrary code execution. Fixes #4060 See #2332 (cherry picked from commit 43e58ac865ff862c2008c510fc5f7627e10b4660)
Diffstat (limited to 'qutebrowser/browser/webengine/webenginequtescheme.py')
-rw-r--r--qutebrowser/browser/webengine/webenginequtescheme.py22
1 files changed, 21 insertions, 1 deletions
diff --git a/qutebrowser/browser/webengine/webenginequtescheme.py b/qutebrowser/browser/webengine/webenginequtescheme.py
index 12ab6af31..13704ea12 100644
--- a/qutebrowser/browser/webengine/webenginequtescheme.py
+++ b/qutebrowser/browser/webengine/webenginequtescheme.py
@@ -54,8 +54,28 @@ class QuteSchemeHandler(QWebEngineUrlSchemeHandler):
job.fail(QWebEngineUrlRequestJob.UrlInvalid)
return
- assert job.requestMethod() == b'GET'
+ # Only the browser itself or qute:// pages should access any of those
+ # URLs.
+ # The request interceptor further locks down qute://settings/set.
+ try:
+ initiator = job.initiator()
+ except AttributeError:
+ # Added in Qt 5.11
+ pass
+ else:
+ if initiator.isValid() and initiator.scheme() != 'qute':
+ log.misc.warning("Blocking malicious request from {} to {}"
+ .format(initiator.toDisplayString(),
+ url.toDisplayString()))
+ job.fail(QWebEngineUrlRequestJob.RequestDenied)
+ return
+
+ if job.requestMethod() != b'GET':
+ job.fail(QWebEngineUrlRequestJob.RequestDenied)
+ return
+
assert url.scheme() == 'qute'
+
log.misc.debug("Got request for {}".format(url.toDisplayString()))
try:
mimetype, data = qutescheme.data_for_url(url)
7apu2bq3rhoylwmucxizk54afw5jyda7pho4j5zdcqpwkufke7zdzwad.onion