diff options
author | Florian Bruhin <git@the-compiler.org> | 2018-07-09 23:38:47 +0200 |
---|---|---|
committer | Florian Bruhin <git@the-compiler.org> | 2018-07-11 17:07:59 +0200 |
commit | c2ff32d92ba9bf40ff53498ee04a4124d4993c85 (patch) | |
tree | aa8130a54e7ea9b58f2b4192954deff26fd97d12 /tests/end2end/data/misc/qutescheme_csrf.html | |
parent | 718f73be2eb062f4893a463bca34c18feeded251 (diff) | |
download | qutebrowser-v1.3.x.tar.gz qutebrowser-v1.3.x.zip |
CVE-2018-10895: Fix CSRF issues with qute://settings/set URLv1.3.x
In ffc29ee043ae7336d9b9dcc029a05bf7a3f994e8 (part of v1.0.0), a
qute://settings/set URL was added to change settings.
Contrary to what I apparently believed at the time, it *is* possible for
websites to access `qute://*` URLs (i.e., neither QtWebKit nor QtWebEngine
prohibit such requests, other than the usual cross-origin rules).
In other words, this means a website can e.g. have an `<img>` tag which loads a
`qute://settings/set` URL, which then sets `editor.command` to a bash script.
The result of that is arbitrary code execution.
Fixes #4060
See #2332
(cherry picked from commit 43e58ac865ff862c2008c510fc5f7627e10b4660)
Diffstat (limited to 'tests/end2end/data/misc/qutescheme_csrf.html')
-rw-r--r-- | tests/end2end/data/misc/qutescheme_csrf.html | 20 |
1 files changed, 20 insertions, 0 deletions
diff --git a/tests/end2end/data/misc/qutescheme_csrf.html b/tests/end2end/data/misc/qutescheme_csrf.html new file mode 100644 index 000000000..66c8fe240 --- /dev/null +++ b/tests/end2end/data/misc/qutescheme_csrf.html @@ -0,0 +1,20 @@ +<!DOCTYPE html> +<html> + <head> + <meta charset="utf-8"> + <title>CSRF issues with qute://settings</title> + <script type="text/javascript"> + function add_img() { + const elem = document.createElement("img") + elem.src = "qute://settings/set?option=auto_save.interval&value=invalid"; + document.body.appendChild(elem); + } + </script> + </head> + <body> + <form action="qute://settings/set?option=auto_save.interval&value=invalid" method="post"><button type="submit" id="via-form">Via form</button></form> + <input type="button" onclick="add_img()" value="Via img" id="via-img"> + <a href="qute://settings/set?option=auto_save.interval&value=invalid" id="via-link">Via link</a> + <a href="/redirect-to?url=qute://settings/set%3Foption=auto_save.interval%26value=invalid" id="via-redirect">Via redirect</a> + </body> +</html> |