diff options
Diffstat (limited to 'qutebrowser/qutebrowser.py')
| -rw-r--r-- | qutebrowser/qutebrowser.py | 33 |
1 files changed, 25 insertions, 8 deletions
diff --git a/qutebrowser/qutebrowser.py b/qutebrowser/qutebrowser.py index fb2776376..a3d0b4c49 100644 --- a/qutebrowser/qutebrowser.py +++ b/qutebrowser/qutebrowser.py @@ -82,14 +82,11 @@ def get_argparser(): "qutebrowser instance running.") parser.add_argument('--backend', choices=['webkit', 'webengine'], help="Which backend to use.") - parser.add_argument('--enable-webengine-inspector', action='store_true', - help="Enable the web inspector / devtools for " - "QtWebEngine. Note that this is a SECURITY RISK and " - "you should not visit untrusted websites with the " - "inspector turned on. See " - "https://bugreports.qt.io/browse/QTBUG-50725 for more " - "details. This is not needed anymore since Qt 5.11 " - "where the inspector is always enabled and secure.") + parser.add_argument('--untrusted-args', + action='store_true', + help="Mark all following arguments as untrusted, which " + "enforces that they are URLs/search terms (and not flags or " + "commands)") parser.add_argument('--json-args', help=argparse.SUPPRESS) parser.add_argument('--temp-basedir-restarted', help=argparse.SUPPRESS) @@ -186,7 +183,27 @@ def debug_flag_error(flag): .format(', '.join(valid_flags))) +def _validate_untrusted_args(argv): + # NOTE: Do not use f-strings here, as this should run with older Python + # versions (so that a proper error can be displayed) + try: + untrusted_idx = argv.index('--untrusted-args') + except ValueError: + return + + rest = argv[untrusted_idx + 1:] + if len(rest) > 1: + sys.exit( + "Found multiple arguments ({}) after --untrusted-args, " + "aborting.".format(' '.join(rest))) + + for arg in rest: + if arg.startswith(('-', ':')): + sys.exit("Found {} after --untrusted-args, aborting.".format(arg)) + + def main(): + _validate_untrusted_args(sys.argv) parser = get_argparser() argv = sys.argv[1:] args = parser.parse_args(argv) |