summaryrefslogtreecommitdiff
path: root/qutebrowser/browser/webengine/webenginequtescheme.py
diff options
context:
space:
mode:
Diffstat (limited to 'qutebrowser/browser/webengine/webenginequtescheme.py')
-rw-r--r--qutebrowser/browser/webengine/webenginequtescheme.py23
1 files changed, 22 insertions, 1 deletions
diff --git a/qutebrowser/browser/webengine/webenginequtescheme.py b/qutebrowser/browser/webengine/webenginequtescheme.py
index ac583a671..04a89e2e2 100644
--- a/qutebrowser/browser/webengine/webenginequtescheme.py
+++ b/qutebrowser/browser/webengine/webenginequtescheme.py
@@ -45,8 +45,29 @@ class QuteSchemeHandler(QWebEngineUrlSchemeHandler):
job: QWebEngineUrlRequestJob
"""
url = job.requestUrl()
- assert job.requestMethod() == b'GET'
+
+ # Only the browser itself or qute:// pages should access any of those
+ # URLs.
+ # The request interceptor further locks down qute://settings/set.
+ try:
+ initiator = job.initiator()
+ except AttributeError:
+ # Added in Qt 5.11
+ pass
+ else:
+ if initiator.isValid() and initiator.scheme() != 'qute':
+ log.misc.warning("Blocking malicious request from {} to {}"
+ .format(initiator.toDisplayString(),
+ url.toDisplayString()))
+ job.fail(QWebEngineUrlRequestJob.RequestDenied)
+ return
+
+ if job.requestMethod() != b'GET':
+ job.fail(QWebEngineUrlRequestJob.RequestDenied)
+ return
+
assert url.scheme() == 'qute'
+
log.misc.debug("Got request for {}".format(url.toDisplayString()))
try:
mimetype, data = qutescheme.data_for_url(url)
7apu2bq3rhoylwmucxizk54afw5jyda7pho4j5zdcqpwkufke7zdzwad.onion