Age | Commit message (Collapse) | Author |
|
(cherry picked from commit 41b05f954882313131a75ccbc53c1e373a915d38)
|
|
On Windows, if an application is registered as an URL handler like this:
HKEY_CLASSES_ROOT
https
URL Protocol = ""
[...]
shell
open
command
(Default) = ".../qutebrowser.exe" "%1"
one would think that Windows takes care of making sure URLs can't inject
arguments by containing a quote. However, this is not the case, as
stated by the Microsoft docs:
https://docs.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/platform-apis/aa767914(v=vs.85)
Security Warning: Applications that handle URI schemes must consider how to
respond to malicious data. Because handler applications can receive data
from untrusted sources, the URI and other parameter values passed to the
application may contain malicious data that attempts to exploit the handling
application.
and
As noted above, the string that is passed to a pluggable protocol handler
might be broken across multiple parameters. Malicious parties could use
additional quote or backslash characters to pass additional command line
parameters. For this reason, pluggable protocol handlers should assume that
any parameters on the command line could come from malicious parties, and
carefully validate them. Applications that could initiate dangerous actions
based on external data must first confirm those actions with the user. In
addition, handling applications should be tested with URIs that are overly
long or contain unexpected (or undesirable) character sequences.
Indeed it's trivial to pass a command to qutebrowser this way - given how
trivial the exploit is to recreate given the information above, here's a PoC:
https:x" ":spawn calc
(or qutebrowserurl: instead of https: if qutebrowser isn't registered as a
default browser)
Some applications do escape the quote characters before calling
qutebrowser - but others, like Outlook Desktop or .url files, do not.
As a fix, we add an --untrusted-args flag and some early validation of the raw
sys.argv, before parsing any arguments or e.g. creating a QApplication (which
might already allow injecting Qt flags there).
We assume that there's no way for an attacker to inject flags *before* the %1
placeholder in the registry, and add --untrusted-args as the last argument of
the registry entry. This way, it'd still be possible for users to customize
their invocation flags without having to remove --untrusted-args.
After --untrusted-args, however, we have some rather strict checks:
- There should be zero or one arguments, but not two (or more)
- Any argument may not start with - (flag) or : (qutebrowser command)
We also add the --untrusted-args flag to the Linux .desktop file, though it
should not be needed there, as the specification there is sane:
https://specifications.freedesktop.org/desktop-entry-spec/desktop-entry-spec-latest.html#exec-variables
Implementations must take care not to expand field codes into multiple
arguments unless explicitly instructed by this specification. This means
that name fields, filenames and other replacements that can contain spaces
must be passed as a single argument to the executable program after
expansion.
There is no comparable mechanism on macOS, which opens the application without
arguments and then sends an "open" event to it:
https://doc.qt.io/qt-5/qfileopenevent.html
This issue was introduced in qutebrowser v1.7.0 which started registering it as
URL handler: baee2888907b260881d5831c68500941937261a0 / #4086
This is by no means an issue isolated to qutebrowser. Many other projects have
had similar trouble with Windows' rather unexpected behavior:
Electron / Exodus Bitcoin wallet:
- http://web.archive.org/web/20190702112128/https://medium.com/0xcc/electrons-bug-shellexecute-to-blame-cacb433d0d62
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000006
- https://medium.com/hackernoon/exploiting-electron-rce-in-exodus-wallet-d9e6db13c374
IE/Firefox:
- https://bugzilla.mozilla.org/show_bug.cgi?id=384384
- https://bugzilla.mozilla.org/show_bug.cgi?id=1572838
Others:
- http://web.archive.org/web/20210930203632/https://www.vdoo.com/blog/exploiting-custom-protocol-handlers-in-windows
- https://parsiya.net/blog/2021-03-17-attack-surface-analysis-part-2-custom-protocol-handlers/
- etc. etc.
See CVE-2021-41146 / GHSA-vw27-fwjf-5qxm:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41146
https://github.com/qutebrowser/qutebrowser/security/advisories/GHSA-vw27-fwjf-5qxm
Thanks to Ping Fan (Zetta) Ke of Valkyrie-X Security Research Group
(VXRL/@vxresearch) for finding and responsibly disclosing this issue.
(cherry picked from commit 8f46ba3f6dc7b18375f7aa63c48a1fe461190430)
# Conflicts:
# qutebrowser/qutebrowser.py
# tests/unit/test_qutebrowser.py
|
|
|
|
|
|
(cherry picked from commit a03348f95111af5c86819f1397c5b633cec1a968)
|
|
If visiting an URL and then later using :back, we accidentally opened the last
URL in the back/forward history rather than the current one.
See #5359
Fixes #5566
(cherry picked from commit 8f073ee095c91748bf273620dcd51fcb4b2bc776)
|
|
See #5359
(cherry picked from commit 0c43cbdede96c40133d9f993a2afabab21ea3015)
|
|
(cherry picked from commit d0ae9ba232ea0d71de1a3fcd2817274a1d1c3a7e)
|
|
(cherry picked from commit 5dc0e6528b21588750fadae4376a34db68d62f7f)
|
|
(cherry picked from commit 4f83bf655974e55f78e600026a4947ad00694297)
|
|
If lineno is set to None in the LogRecord, pytest's logging formatting fails:
tests/unit/utils/test_log.py:418: in test_empty_message
log.qt_message_handler(QtCore.QtDebugMsg, self.Context(), "")
qutebrowser/utils/log.py:508: in qt_message_handler
qt.handle(record)
/usr/lib/python3.8/logging/__init__.py:1587: in handle
self.callHandlers(record)
/usr/lib/python3.8/logging/__init__.py:1649: in callHandlers
hdlr.handle(record)
/usr/lib/python3.8/logging/__init__.py:950: in handle
self.emit(record)
../../pytest/src/_pytest/logging.py:326: in emit
super().emit(record)
/usr/lib/python3.8/logging/__init__.py:1089: in emit
self.handleError(record)
/usr/lib/python3.8/logging/__init__.py:1081: in emit
msg = self.format(record)
/usr/lib/python3.8/logging/__init__.py:925: in format
return fmt.format(record)
../../pytest/src/_pytest/logging.py:89: in format
return super().format(record)
/usr/lib/python3.8/logging/__init__.py:667: in format
s = self.formatMessage(record)
/usr/lib/python3.8/logging/__init__.py:636: in formatMessage
return self._style.format(record)
../../pytest/src/_pytest/logging.py:185: in format
return self._fmt % record.__dict__
E TypeError: %d format: a number is required, not NoneType
According to typeshed, lineno should never be None:
https://github.com/python/typeshed/blob/028f0d52931fe1f96bb25d066186961159c1f801/stdlib/2and3/logging/__init__.pyi#L386
Thus, this is our fault, not pytest's. However, before pytest 6.0.0, pytest did
not surface logging errors:
https://github.com/pytest-dev/pytest/pull/7231
https://github.com/pytest-dev/pytest/commit/b13fcb23d79b3f38e497824c438c926a0a015561
Thus, we never noticed something was going wrong here.
(cherry picked from commit e206d346ced90aa4d8d8411baa1f9cc92406f16c)
Make mypy happy
It doesn't know about QMessageLogContext.lineno being Optional[int] rather than
int.
(cherry picked from commit 4136c847fdece2a0752e3029872a41bc41b103a3)
|
|
(cherry picked from commit 6c9b088834d10fd6861551bf8ede5f896706a1ac)
|
|
(cherry picked from commit b77891fce795c741f389d6e4080c1f68ab9b615c)
|
|
(cherry picked from commit ad645bba524f6cc27ee8122d44fccd6aea040708)
Fix PYINSTALLER_DEBUG
(cherry picked from commit f50faee0eaac79fc57f7090abb060cf587a83d73)
|
|
See #3832
(cherry picked from commit 7d388163106b4efa07b13ee515e0534a43cd6510)
|
|
So we don't e.g. switch from passthrough to insert mode when the inspector is
clicked.
(cherry picked from commit 64d3c04d4dee8130787ce8dc795485310beed181)
|
|
(cherry picked from commit 8d05f0282a271bfd45e614238bd1b555c58b3fc1)
|
|
Closes #5557
(cherry picked from commit 7a7410d9064fece78fdf73c603cc2a3011eb2c92)
|
|
For some reason, the event filter stopped inhibiting the context menu with Qt
5.9 (or possibly 5.8).
(cherry picked from commit 0ed215d81f9a6db8da1aab08c89e6031fb157984)
Remove unnecessary return
(cherry picked from commit 815920657687a0f8f237a85711573afdb91d072c)
|
|
This allows running mkvenv.py without having Pygments installed system-wide.
Prepending to the PATH (rather than appending) so that the virtualenv's one is
always used, so the system-wide one can be older or broken.
(cherry picked from commit 362d9d917ba0c796c2c8f9813e66634cae54b422)
|
|
See https://bugreports.qt.io/browse/QTBUG-82105
Fixes #5279
(cherry picked from commit 27c657350872e098fcb6d2f6d975a4557f23bab6)
|
|
(cherry picked from commit 7c4a1b03f5156c68b87f3560218f93c8184afd96)
|
|
(cherry picked from commit cb15192cd65fa9d4479f96ccc85428dc438255a1)
|
|
For some reason, __file__ was "scripts/dev/../asciidoc2html.py", causing
.parents[1] to point to "scripts/dev/" instead of "scripts/".
See #5534
(cherry picked from commit eed0373feb1a1750aa834b9c8d3524ddb1833780)
|
|
|
|
|
|
|
|
|
|
Now that we know how this happens (notification permissions in incognito mode),
we don't need to log a warning here.
|
|
|
|
The loaded page caused a 404, but we didn't wait for the new error logging
message. Most of the time that went well because we quit before it could be
logged, but not always.
See https://github.com/qutebrowser/qutebrowser/issues/5390#issuecomment-629268747
|
|
|
|
|
|
|
|
Not done by default with "tox -e mypy" because it disables mypy's caching,
causing its runtime to go from <1s to ~15s:
https://github.com/python/mypy/issues/9041
See #1456
|
|
|
|
Let's assume this doesn't segfault anymore nowadays and let's see what happens.
Closes #1614
|
|
|
|
|
|
There likely was a race condition between JS processing the input and us
clicking the button there. Log the text async from JS via oninput= to avoid
having to click a button.
See https://github.com/qutebrowser/qutebrowser/issues/5390#issuecomment-625179233
|
|
|
|
After 86d794320343e58467d34daad8cc9a1b8011a512, this now also re-adds the
workaround for QTBUG-58982 (#2290) because it is apparently still needed with
Qt 5.7...
This reverts commit 87d7dd93420ab92a1a209919297371dc0fadcecd.
|
|
How the handle width of 5 is distributed on macOS seems like totally random.
Instead of trying to get our calculations to work, just force the handle width
to an even number.
|
|
This was removed in f5f3bf63b58d5a2a73a777b199b9dbc0b360fb66 but is still
needed so that the underlying QWebEngineView is actually deleted with Qt <
5.12. Otherwise, test_spawning_an_editor_and_closing_the_tab in
test_editor_bdd.py would fail because the element doesn't actually vanish.
|
|
|
|
Turns out 7a6e4821a1d5e1cd472e1be639c70858adec93d8 was the wrong way around!
|
|
Some tests (e.g. in test_invocations.py) still seem to segfault without this.
This partially reverts 87d7dd93420ab92a1a209919297371dc0fadcecd.
See #2261
|
|
This reverts commit 370bd12a1512f5164be0e3ae1838515957e587fb.
Turns one of out the workarounds removed in
87d7dd93420ab92a1a209919297371dc0fadcecd is still needed until Qt 5.12...
|
|
Needs re.MULTILINE because of the qutebrowser ASCII art logo...
|
|
|