summaryrefslogtreecommitdiff
path: root/tests/end2end/features/qutescheme.feature
diff options
context:
space:
mode:
authorFlorian Bruhin <git@the-compiler.org>2018-07-09 23:38:47 +0200
committerFlorian Bruhin <git@the-compiler.org>2018-07-11 17:07:18 +0200
commitc3361c31b370140f323e481dd455450b1e74c099 (patch)
treec6c93cd74b78610a2610789c6ce907b7e39c5056 /tests/end2end/features/qutescheme.feature
parent404c276774e689032b0e2c6381bb308c182778de (diff)
downloadqutebrowser-c3361c31b370140f323e481dd455450b1e74c099.tar.gz
qutebrowser-c3361c31b370140f323e481dd455450b1e74c099.zip
CVE-2018-10895: Fix CSRF issues with qute://settings/set URLv1.2.x
In ffc29ee043ae7336d9b9dcc029a05bf7a3f994e8 (part of v1.0.0), a qute://settings/set URL was added to change settings. Contrary to what I apparently believed at the time, it *is* possible for websites to access `qute://*` URLs (i.e., neither QtWebKit nor QtWebEngine prohibit such requests, other than the usual cross-origin rules). In other words, this means a website can e.g. have an `<img>` tag which loads a `qute://settings/set` URL, which then sets `editor.command` to a bash script. The result of that is arbitrary code execution. Fixes #4060 See #2332 (cherry picked from commit 43e58ac865ff862c2008c510fc5f7627e10b4660)
Diffstat (limited to 'tests/end2end/features/qutescheme.feature')
-rw-r--r--tests/end2end/features/qutescheme.feature57
1 files changed, 57 insertions, 0 deletions
diff --git a/tests/end2end/features/qutescheme.feature b/tests/end2end/features/qutescheme.feature
index 1abaadd87..74b11b344 100644
--- a/tests/end2end/features/qutescheme.feature
+++ b/tests/end2end/features/qutescheme.feature
@@ -130,6 +130,63 @@ Feature: Special qute:// pages
And I press the key "<Tab>"
Then "Invalid value 'foo' *" should be logged
+ @qtwebkit_skip
+ Scenario: qute://settings CSRF via img (webengine)
+ When I open data/misc/qutescheme_csrf.html
+ And I run :click-element id via-img
+ Then "Blocking malicious request from http://localhost:*/data/misc/qutescheme_csrf.html to qute://settings/set?*" should be logged
+
+ @qtwebkit_skip
+ Scenario: qute://settings CSRF via link (webengine)
+ When I open data/misc/qutescheme_csrf.html
+ And I run :click-element id via-link
+ Then "Blocking malicious request from qute://settings/set?* to qute://settings/set?*" should be logged
+
+ @qtwebkit_skip
+ Scenario: qute://settings CSRF via redirect (webengine)
+ When I open data/misc/qutescheme_csrf.html
+ And I run :click-element id via-redirect
+ Then "Blocking malicious request from qute://settings/set?* to qute://settings/set?*" should be logged
+
+ @qtwebkit_skip
+ Scenario: qute://settings CSRF via form (webengine)
+ When I open data/misc/qutescheme_csrf.html
+ And I run :click-element id via-form
+ Then "Blocking malicious request from qute://settings/set?* to qute://settings/set?*" should be logged
+
+ @qtwebkit_skip
+ Scenario: qute://settings CSRF token (webengine)
+ When I open qute://settings
+ And I run :jseval const xhr = new XMLHttpRequest(); xhr.open("GET", "qute://settings/set"); xhr.send()
+ Then "Error while handling qute://* URL" should be logged
+ And the error "Invalid CSRF token for qute://settings!" should be shown
+
+ @qtwebengine_skip
+ Scenario: qute://settings CSRF via img (webkit)
+ When I open data/misc/qutescheme_csrf.html
+ And I run :click-element id via-img
+ Then "Blocking malicious request from http://localhost:*/data/misc/qutescheme_csrf.html to qute://settings/set?*" should be logged
+
+ @qtwebengine_skip
+ Scenario: qute://settings CSRF via link (webkit)
+ When I open data/misc/qutescheme_csrf.html
+ And I run :click-element id via-link
+ Then "Blocking malicious request from http://localhost:*/data/misc/qutescheme_csrf.html to qute://settings/set?*" should be logged
+ And "Error while loading qute://settings/set?*: Invalid qute://settings request" should be logged
+
+ @qtwebengine_skip
+ Scenario: qute://settings CSRF via redirect (webkit)
+ When I open data/misc/qutescheme_csrf.html
+ And I run :click-element id via-redirect
+ Then "Blocking malicious request from http://localhost:*/data/misc/qutescheme_csrf.html to qute://settings/set?*" should be logged
+ And "Error while loading qute://settings/set?*: Invalid qute://settings request" should be logged
+
+ @qtwebengine_skip
+ Scenario: qute://settings CSRF via form (webkit)
+ When I open data/misc/qutescheme_csrf.html
+ And I run :click-element id via-form
+ Then "Error while loading qute://settings/set?*: Unsupported request type" should be logged
+
# pdfjs support
@qtwebengine_skip: pdfjs is not implemented yet
7apu2bq3rhoylwmucxizk54afw5jyda7pho4j5zdcqpwkufke7zdzwad.onion