CVE-2018-10895: Fix CSRF issues with qute://settings/set URLv1.3.x

In ffc29ee043ae7336d9b9dcc029a05bf7a3f994e8 (part of v1.0.0), a
qute://settings/set URL was added to change settings.

Contrary to what I apparently believed at the time, it *is* possible for
websites to access `qute://*` URLs (i.e., neither QtWebKit nor QtWebEngine
prohibit such requests, other than the usual cross-origin rules).

In other words, this means a website can e.g. have an `<img>` tag which loads a
`qute://settings/set` URL, which then sets `editor.command` to a bash script.
The result of that is arbitrary code execution.

Fixes #4060
See #2332

(cherry picked from commit 43e58ac865ff862c2008c510fc5f7627e10b4660)

1 files changed, 20 insertions, 0 deletions

diff --git a/tests/end2end/data/misc/qutescheme_csrf.html b/tests/end2end/data/misc/qutescheme_csrf.html
new file mode 100644
index 000000000..66c8fe240
--- /dev/null
+++ b/tests/end2end/data/misc/qutescheme_csrf.html
@@ -0,0 +1,20 @@
+<!DOCTYPE html>
+<html>
+    <head>
+        <meta charset="utf-8">
+        <title>CSRF issues with qute://settings</title>
+        <script type="text/javascript">
+            function add_img() {
+                const elem = document.createElement("img")
+                elem.src = "qute://settings/set?option=auto_save.interval&value=invalid";
+                document.body.appendChild(elem);
+            }
+        </script>
+    </head>
+    <body>
+        <form action="qute://settings/set?option=auto_save.interval&value=invalid" method="post"><button type="submit" id="via-form">Via form</button></form>
+        <input type="button" onclick="add_img()" value="Via img" id="via-img">
+        <a href="qute://settings/set?option=auto_save.interval&value=invalid" id="via-link">Via link</a>
+        <a href="/redirect-to?url=qute://settings/set%3Foption=auto_save.interval%26value=invalid" id="via-redirect">Via redirect</a>
+    </body>
+</html>