diff options
-rw-r--r-- | doc/changelog.asciidoc | 8 | ||||
-rw-r--r-- | qutebrowser/utils/resources.py | 2 | ||||
-rw-r--r-- | qutebrowser/utils/utils.py | 6 |
3 files changed, 12 insertions, 4 deletions
diff --git a/doc/changelog.asciidoc b/doc/changelog.asciidoc index c17f35eec..b3f99fb05 100644 --- a/doc/changelog.asciidoc +++ b/doc/changelog.asciidoc @@ -19,6 +19,14 @@ breaking changes (such as renamed commands) can happen in minor releases. v2.4.0 (unreleased) ------------------- +Security +~~~~~~~~ + +- **CVE-2021-41146**: Fix arbitrary command execution on Windows via URL handler + argument injection. See the + https://github.com/qutebrowser/qutebrowser/security/advisories/GHSA-vw27-fwjf-5qxm[security advisory] + for details. + Added ~~~~~ diff --git a/qutebrowser/utils/resources.py b/qutebrowser/utils/resources.py index ff5ec9d9a..f561d6747 100644 --- a/qutebrowser/utils/resources.py +++ b/qutebrowser/utils/resources.py @@ -82,7 +82,7 @@ def _glob( else: # zipfile.Path or importlib_resources compat object # Unfortunately, we can't tell mypy about resource_path being of type # Union[pathlib.Path, zipfile.Path] because we set "python_version = 3.6" in - # .mypy.ini, but the zipfiel stubs (correctly) only declare zipfile.Path with + # .mypy.ini, but the zipfile stubs (correctly) only declare zipfile.Path with # Python 3.8... assert glob_path.is_dir(), glob_path # type: ignore[unreachable] for subpath in glob_path.iterdir(): diff --git a/qutebrowser/utils/utils.py b/qutebrowser/utils/utils.py index 5784d754c..f42515c5c 100644 --- a/qutebrowser/utils/utils.py +++ b/qutebrowser/utils/utils.py @@ -669,12 +669,12 @@ def yaml_load(f: Union[str, IO[str]]) -> Any: r"of from 'collections\.abc' is deprecated.*"): try: data = yaml.load(f, Loader=YamlLoader) - except ValueError as e: + except ValueError as e: # pragma: no cover pyyaml_error = 'could not convert string to float' - if str(e).startswith(pyyaml_error): # pragma: no cover + if str(e).startswith(pyyaml_error): # WORKAROUND for https://github.com/yaml/pyyaml/issues/168 raise yaml.YAMLError(e) - raise # pragma: no cover + raise end = datetime.datetime.now() |