1 files changed, 24 insertions, 6 deletions

diff --git a/qutebrowser/browser/webkit/network/webkitqutescheme.py b/qutebrowser/browser/webkit/network/webkitqutescheme.py
index 5413a4a8d..236ebcc0c 100644
--- a/qutebrowser/browser/webkit/network/webkitqutescheme.py
+++ b/qutebrowser/browser/webkit/network/webkitqutescheme.py
@@ -21,7 +21,8 @@
 
 import mimetypes
 
-from PyQt5.QtNetwork import QNetworkReply
+from PyQt5.QtCore import QUrl
+from PyQt5.QtNetwork import QNetworkReply, QNetworkAccessManager
 
 from qutebrowser.browser import pdfjs, qutescheme
 from qutebrowser.browser.webkit.network import schemehandler, networkreply
@@ -32,22 +33,39 @@ class QuteSchemeHandler(schemehandler.SchemeHandler):
 
     """Scheme handler for qute:// URLs."""
 
-    def createRequest(self, _op, request, _outgoing_data):
+    def createRequest(self, op, request, _outgoing_data, current_url):
         """Create a new request.
 
         Args:
              request: const QNetworkRequest & req
-             _op: Operation op
+             op: Operation op
              _outgoing_data: QIODevice * outgoingData
+             current_url: The page we're on currently.
 
         Return:
             A QNetworkReply.
         """
+        if op != QNetworkAccessManager.GetOperation:
+            return networkreply.ErrorNetworkReply(
+                request, "Unsupported request type",
+                QNetworkReply.ContentOperationNotPermittedError)
+
+        url = request.url()
+
+        if ((url.scheme(), url.host(), url.path()) ==
+                ('qute', 'settings', '/set')):
+            if current_url != QUrl('qute://settings/'):
+                log.webview.warning("Blocking malicious request from {} to {}"
+                                    .format(current_url.toDisplayString(),
+                                            url.toDisplayString()))
+                return networkreply.ErrorNetworkReply(
+                    request, "Invalid qute://settings request",
+                    QNetworkReply.ContentAccessDenied)
+
         try:
-            mimetype, data = qutescheme.data_for_url(request.url())
+            mimetype, data = qutescheme.data_for_url(url)
         except qutescheme.NoHandlerFound:
-            errorstr = "No handler found for {}!".format(
-                request.url().toDisplayString())
+            errorstr = "No handler found for {}!".format(url.toDisplayString())
             return networkreply.ErrorNetworkReply(
                 request, errorstr, QNetworkReply.ContentNotFoundError,
                 self.parent())