Age | Commit message (Collapse) | Author | |
---|---|---|---|
2018-07-11 | CVE-2018-10895: Fix CSRF issues with qute://settings/set URLv1.1.x | Florian Bruhin | |
In ffc29ee043ae7336d9b9dcc029a05bf7a3f994e8 (part of v1.0.0), a qute://settings/set URL was added to change settings. Contrary to what I apparently believed at the time, it *is* possible for websites to access `qute://*` URLs (i.e., neither QtWebKit nor QtWebEngine prohibit such requests, other than the usual cross-origin rules). In other words, this means a website can e.g. have an `<img>` tag which loads a `qute://settings/set` URL, which then sets `editor.command` to a bash script. The result of that is arbitrary code execution. Fixes #4060 See #2332 (cherry picked from commit 43e58ac865ff862c2008c510fc5f7627e10b4660) | |||
2018-03-01 | Release v1.1.2v1.1.2 | Florian Bruhin | |
2018-03-01 | Upgrade to PyQt 5.10.1 | Florian Bruhin | |
(cherry picked from commit 889b03169a6b59f91b58a2f4ea7c6807bc0ac6fd) | |||
2018-02-28 | Update changelog from master | Florian Bruhin | |
2018-02-28 | Don't load the URL immediately on :undo | Florian Bruhin | |
On some pages like Qt's Gerrit, Indiegogo or Telegram Web, this caused a crash with QtWebEngine and Qt 5.10.1 in QtWebEngineCore::WebContentsAdapter::webContents(). I'm not sure what causes the crash exactly, but I'm guessing it's some kind of race condition between loading the URL initially and deserializing the history, which both ends up loading the URL. Since restoring the history means we end up on the given URL anyways, let's just not open the URL beforehand, which seems to fix this. Fixes #3619. (cherry picked from commit d44ff5ba01bea65444b96a05eb5252a39b99824f) | |||
2018-02-28 | Fix typing.Union checks with Python 3.7 | Florian Bruhin | |
(cherry picked from commit 63766c1711548ed119d197be22740b4cd4e3f61a) | |||
2018-01-20 | Release v1.1.1v1.1.1 | Florian Bruhin | |
2018-01-20 | Update changelog for v1.1.1 | Florian Bruhin | |
2018-01-20 | Fix crash when getting signals for closed tabs | Florian Bruhin | |
Fixes #3498 (cherry picked from commit 748de85ba2cc7bd8557a87fce88aab0ac3f3ad27) | |||
2018-01-15 | Fix Makefile and make sure it's tested | Florian Bruhin | |
Fixes #3492 (cherry picked from commit d06f07af80f1858d960d4ea6edd71546da280d93) | |||
2018-01-15 | Release v1.1.0v1.1.0 | Florian Bruhin | |
2018-01-15 | Update changelog for v1.1.0 | Florian Bruhin | |
2018-01-15 | Merge pull request #3445 from seelaman/hist_import-cleaning | Florian Bruhin | |
filter out records with None in any field. | |||
2018-01-15 | Merge pull request #3491 from qutebrowser/pyup-scheduled-update-01-15-2018 | Florian Bruhin | |
Scheduled weekly dependency update for week 02 | |||
2018-01-15 | Update hypothesis from 3.44.13 to 3.44.16 | pyup-bot | |
2018-01-14 | Fix crash when clicking <form> element with name="value" child | Florian Bruhin | |
https://stackoverflow.com/q/22942689/2085149 Fixes #2877 See #2569 | |||
2018-01-10 | Update changelog | Florian Bruhin | |
2018-01-10 | Merge remote-tracking branch 'origin/pr/3432' | Florian Bruhin | |
2018-01-10 | Merge remote-tracking branch 'origin/pr/3423' | Florian Bruhin | |
2018-01-10 | Update changelog | Florian Bruhin | |
2018-01-10 | Merge remote-tracking branch 'origin/pr/3468' | Florian Bruhin | |
2018-01-09 | Merge pull request #3475 from qutebrowser/pyup-scheduled-update-01-08-2018 | Florian Bruhin | |
Scheduled weekly dependency update for week 01 | |||
2018-01-08 | Update pytest-qt from 2.3.0 to 2.3.1 | pyup-bot | |
2018-01-08 | Update hypothesis from 3.44.4 to 3.44.13 | pyup-bot | |
2018-01-08 | Update setuptools from 38.2.5 to 38.4.0 | pyup-bot | |
2018-01-08 | Update pep8-naming from 0.4.1 to 0.5.0 | pyup-bot | |
2018-01-08 | Update flake8-future-import from 0.4.3 to 0.4.4 | pyup-bot | |
2018-01-08 | Update flake8-docstrings from 1.1.0 to 1.3.0 | pyup-bot | |
2018-01-08 | Update codecov from 2.0.10 to 2.0.13 | pyup-bot | |
2018-01-06 | Merge pull request #3454 from qutebrowser/pyup-scheduled-update-01-01-2018 | Florian Bruhin | |
Scheduled weekly dependency update for week 00 | |||
2018-01-05 | Pin pytest to 3.3.1 for now | Florian Bruhin | |
See https://github.com/pytest-dev/pytest-bdd/issues/229 | |||
2018-01-04 | Don't attempt completion if input starts with flag. | Ryan Roden-Corrent | |
Always interpret the first word in the command string as the command to offer completions for, even if that word looks like a flag. Fixes #3460, where the command string `:-w open` would attempt to offer completions for `open` but crash because the parsing was thrown off. By moving the flag-stripping logic to _after_ we determine the command, `:-w open` interprets `:-w` as the command. Since that is not a valid command, we won't offer any completions. | |||
2018-01-03 | Remove old testbrowser.py | Florian Bruhin | |
2018-01-02 | replace empty titles with an empty string. ↵ | Manuel Seelaus | |
https://github.com/qutebrowser/qutebrowser/pull/3445#issuecomment-354840724 | |||
2018-01-01 | Update werkzeug from 0.13 to 0.14.1 | pyup-bot | |
2018-01-01 | Update flake8-polyfill from 1.0.1 to 1.0.2 | pyup-bot | |
2018-01-01 | Update attrs from 17.3.0 to 17.4.0 | pyup-bot | |
2018-01-01 | Update attrs from 17.3.0 to 17.4.0 | pyup-bot | |
2018-01-01 | Update attrs from 17.3.0 to 17.4.0 | pyup-bot | |
2017-12-30 | Fix MANIFEST.in for testbrowser | Florian Bruhin | |
2017-12-29 | Use a dict for ModeManager.eventFilter | Florian Bruhin | |
2017-12-29 | Remove filtering of mouse events | Florian Bruhin | |
This was needed for the hide-mouse-cursor setting. However, this setting was removed in 2223a285ef4a49adabe735d558db9ab7b65ff78a, so this code has been dead since then. | |||
2017-12-29 | Clean up testbrowser scripts | Florian Bruhin | |
2017-12-29 | Update qutebrowser xpm | Florian Bruhin | |
2017-12-27 | filter out records with None in any field. | Manuel Seelaus | |
2017-12-27 | Default raise_windows() alert param to True to preserve existing | RyanJenkins | |
behavior | |||
2017-12-26 | Raise browser window after editor closes regardless of outcome of | RyanJenkins | |
inserting text and avoid calling QApplication.instance().alert() in this scenario. | |||
2017-12-26 | Merge pull request #3441 from strburst/doc-configuring-fix-typo | Florian Bruhin | |
Fix minor doc typo in example code | |||
2017-12-26 | Fix minor doc typo in example code | Allen Zheng | |
There should be an extra parenthesis to close the call to the outer print function. | |||
2017-12-26 | Update changelog | Florian Bruhin | |