summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2018-07-11CVE-2018-10895: Fix CSRF issues with qute://settings/set URLv1.1.xFlorian Bruhin
In ffc29ee043ae7336d9b9dcc029a05bf7a3f994e8 (part of v1.0.0), a qute://settings/set URL was added to change settings. Contrary to what I apparently believed at the time, it *is* possible for websites to access `qute://*` URLs (i.e., neither QtWebKit nor QtWebEngine prohibit such requests, other than the usual cross-origin rules). In other words, this means a website can e.g. have an `<img>` tag which loads a `qute://settings/set` URL, which then sets `editor.command` to a bash script. The result of that is arbitrary code execution. Fixes #4060 See #2332 (cherry picked from commit 43e58ac865ff862c2008c510fc5f7627e10b4660)
2018-03-01Release v1.1.2v1.1.2Florian Bruhin
2018-03-01Upgrade to PyQt 5.10.1Florian Bruhin
(cherry picked from commit 889b03169a6b59f91b58a2f4ea7c6807bc0ac6fd)
2018-02-28Update changelog from masterFlorian Bruhin
2018-02-28Don't load the URL immediately on :undoFlorian Bruhin
On some pages like Qt's Gerrit, Indiegogo or Telegram Web, this caused a crash with QtWebEngine and Qt 5.10.1 in QtWebEngineCore::WebContentsAdapter::webContents(). I'm not sure what causes the crash exactly, but I'm guessing it's some kind of race condition between loading the URL initially and deserializing the history, which both ends up loading the URL. Since restoring the history means we end up on the given URL anyways, let's just not open the URL beforehand, which seems to fix this. Fixes #3619. (cherry picked from commit d44ff5ba01bea65444b96a05eb5252a39b99824f)
2018-02-28Fix typing.Union checks with Python 3.7Florian Bruhin
(cherry picked from commit 63766c1711548ed119d197be22740b4cd4e3f61a)
2018-01-20Release v1.1.1v1.1.1Florian Bruhin
2018-01-20Update changelog for v1.1.1Florian Bruhin
2018-01-20Fix crash when getting signals for closed tabsFlorian Bruhin
Fixes #3498 (cherry picked from commit 748de85ba2cc7bd8557a87fce88aab0ac3f3ad27)
2018-01-15Fix Makefile and make sure it's testedFlorian Bruhin
Fixes #3492 (cherry picked from commit d06f07af80f1858d960d4ea6edd71546da280d93)
2018-01-15Release v1.1.0v1.1.0Florian Bruhin
2018-01-15Update changelog for v1.1.0Florian Bruhin
2018-01-15Merge pull request #3445 from seelaman/hist_import-cleaningFlorian Bruhin
filter out records with None in any field.
2018-01-15Merge pull request #3491 from qutebrowser/pyup-scheduled-update-01-15-2018Florian Bruhin
Scheduled weekly dependency update for week 02
2018-01-15Update hypothesis from 3.44.13 to 3.44.16pyup-bot
2018-01-14Fix crash when clicking <form> element with name="value" childFlorian Bruhin
https://stackoverflow.com/q/22942689/2085149 Fixes #2877 See #2569
2018-01-10Update changelogFlorian Bruhin
2018-01-10Merge remote-tracking branch 'origin/pr/3432'Florian Bruhin
2018-01-10Merge remote-tracking branch 'origin/pr/3423'Florian Bruhin
2018-01-10Update changelogFlorian Bruhin
2018-01-10Merge remote-tracking branch 'origin/pr/3468'Florian Bruhin
2018-01-09Merge pull request #3475 from qutebrowser/pyup-scheduled-update-01-08-2018Florian Bruhin
Scheduled weekly dependency update for week 01
2018-01-08Update pytest-qt from 2.3.0 to 2.3.1pyup-bot
2018-01-08Update hypothesis from 3.44.4 to 3.44.13pyup-bot
2018-01-08Update setuptools from 38.2.5 to 38.4.0pyup-bot
2018-01-08Update pep8-naming from 0.4.1 to 0.5.0pyup-bot
2018-01-08Update flake8-future-import from 0.4.3 to 0.4.4pyup-bot
2018-01-08Update flake8-docstrings from 1.1.0 to 1.3.0pyup-bot
2018-01-08Update codecov from 2.0.10 to 2.0.13pyup-bot
2018-01-06Merge pull request #3454 from qutebrowser/pyup-scheduled-update-01-01-2018Florian Bruhin
Scheduled weekly dependency update for week 00
2018-01-05Pin pytest to 3.3.1 for nowFlorian Bruhin
See https://github.com/pytest-dev/pytest-bdd/issues/229
2018-01-04Don't attempt completion if input starts with flag.Ryan Roden-Corrent
Always interpret the first word in the command string as the command to offer completions for, even if that word looks like a flag. Fixes #3460, where the command string `:-w open` would attempt to offer completions for `open` but crash because the parsing was thrown off. By moving the flag-stripping logic to _after_ we determine the command, `:-w open` interprets `:-w` as the command. Since that is not a valid command, we won't offer any completions.
2018-01-03Remove old testbrowser.pyFlorian Bruhin
2018-01-02replace empty titles with an empty string. ↵Manuel Seelaus
https://github.com/qutebrowser/qutebrowser/pull/3445#issuecomment-354840724
2018-01-01Update werkzeug from 0.13 to 0.14.1pyup-bot
2018-01-01Update flake8-polyfill from 1.0.1 to 1.0.2pyup-bot
2018-01-01Update attrs from 17.3.0 to 17.4.0pyup-bot
2018-01-01Update attrs from 17.3.0 to 17.4.0pyup-bot
2018-01-01Update attrs from 17.3.0 to 17.4.0pyup-bot
2017-12-30Fix MANIFEST.in for testbrowserFlorian Bruhin
2017-12-29Use a dict for ModeManager.eventFilterFlorian Bruhin
2017-12-29Remove filtering of mouse eventsFlorian Bruhin
This was needed for the hide-mouse-cursor setting. However, this setting was removed in 2223a285ef4a49adabe735d558db9ab7b65ff78a, so this code has been dead since then.
2017-12-29Clean up testbrowser scriptsFlorian Bruhin
2017-12-29Update qutebrowser xpmFlorian Bruhin
2017-12-27filter out records with None in any field.Manuel Seelaus
2017-12-27Default raise_windows() alert param to True to preserve existingRyanJenkins
behavior
2017-12-26Raise browser window after editor closes regardless of outcome ofRyanJenkins
inserting text and avoid calling QApplication.instance().alert() in this scenario.
2017-12-26Merge pull request #3441 from strburst/doc-configuring-fix-typoFlorian Bruhin
Fix minor doc typo in example code
2017-12-26Fix minor doc typo in example codeAllen Zheng
There should be an extra parenthesis to close the call to the outer print function.
2017-12-26Update changelogFlorian Bruhin
7apu2bq3rhoylwmucxizk54afw5jyda7pho4j5zdcqpwkufke7zdzwad.onion