Age | Commit message (Collapse) | Author |
|
(cherry picked from commit 41b05f954882313131a75ccbc53c1e373a915d38)
|
|
On Windows, if an application is registered as an URL handler like this:
HKEY_CLASSES_ROOT
https
URL Protocol = ""
[...]
shell
open
command
(Default) = ".../qutebrowser.exe" "%1"
one would think that Windows takes care of making sure URLs can't inject
arguments by containing a quote. However, this is not the case, as
stated by the Microsoft docs:
https://docs.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/platform-apis/aa767914(v=vs.85)
Security Warning: Applications that handle URI schemes must consider how to
respond to malicious data. Because handler applications can receive data
from untrusted sources, the URI and other parameter values passed to the
application may contain malicious data that attempts to exploit the handling
application.
and
As noted above, the string that is passed to a pluggable protocol handler
might be broken across multiple parameters. Malicious parties could use
additional quote or backslash characters to pass additional command line
parameters. For this reason, pluggable protocol handlers should assume that
any parameters on the command line could come from malicious parties, and
carefully validate them. Applications that could initiate dangerous actions
based on external data must first confirm those actions with the user. In
addition, handling applications should be tested with URIs that are overly
long or contain unexpected (or undesirable) character sequences.
Indeed it's trivial to pass a command to qutebrowser this way - given how
trivial the exploit is to recreate given the information above, here's a PoC:
https:x" ":spawn calc
(or qutebrowserurl: instead of https: if qutebrowser isn't registered as a
default browser)
Some applications do escape the quote characters before calling
qutebrowser - but others, like Outlook Desktop or .url files, do not.
As a fix, we add an --untrusted-args flag and some early validation of the raw
sys.argv, before parsing any arguments or e.g. creating a QApplication (which
might already allow injecting Qt flags there).
We assume that there's no way for an attacker to inject flags *before* the %1
placeholder in the registry, and add --untrusted-args as the last argument of
the registry entry. This way, it'd still be possible for users to customize
their invocation flags without having to remove --untrusted-args.
After --untrusted-args, however, we have some rather strict checks:
- There should be zero or one arguments, but not two (or more)
- Any argument may not start with - (flag) or : (qutebrowser command)
We also add the --untrusted-args flag to the Linux .desktop file, though it
should not be needed there, as the specification there is sane:
https://specifications.freedesktop.org/desktop-entry-spec/desktop-entry-spec-latest.html#exec-variables
Implementations must take care not to expand field codes into multiple
arguments unless explicitly instructed by this specification. This means
that name fields, filenames and other replacements that can contain spaces
must be passed as a single argument to the executable program after
expansion.
There is no comparable mechanism on macOS, which opens the application without
arguments and then sends an "open" event to it:
https://doc.qt.io/qt-5/qfileopenevent.html
This issue was introduced in qutebrowser v1.7.0 which started registering it as
URL handler: baee2888907b260881d5831c68500941937261a0 / #4086
This is by no means an issue isolated to qutebrowser. Many other projects have
had similar trouble with Windows' rather unexpected behavior:
Electron / Exodus Bitcoin wallet:
- http://web.archive.org/web/20190702112128/https://medium.com/0xcc/electrons-bug-shellexecute-to-blame-cacb433d0d62
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000006
- https://medium.com/hackernoon/exploiting-electron-rce-in-exodus-wallet-d9e6db13c374
IE/Firefox:
- https://bugzilla.mozilla.org/show_bug.cgi?id=384384
- https://bugzilla.mozilla.org/show_bug.cgi?id=1572838
Others:
- http://web.archive.org/web/20210930203632/https://www.vdoo.com/blog/exploiting-custom-protocol-handlers-in-windows
- https://parsiya.net/blog/2021-03-17-attack-surface-analysis-part-2-custom-protocol-handlers/
- etc. etc.
See CVE-2021-41146 / GHSA-vw27-fwjf-5qxm:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41146
https://github.com/qutebrowser/qutebrowser/security/advisories/GHSA-vw27-fwjf-5qxm
Thanks to Ping Fan (Zetta) Ke of Valkyrie-X Security Research Group
(VXRL/@vxresearch) for finding and responsibly disclosing this issue.
(cherry picked from commit 8f46ba3f6dc7b18375f7aa63c48a1fe461190430)
# Conflicts:
# qutebrowser/qutebrowser.py
# tests/unit/test_qutebrowser.py
|
|
When trying to release in my Windows VM, I get:
[1568:5924:1204/204551.986:ERROR:dxva_video_decode_accelerator_win.cc(1399)]
DXVAVDA fatal error: could not LoadLibrary: mf.dll: The specified
module could not be found. (0x7E)
[1568:5924:1204/204551.986:ERROR:dxva_video_decode_accelerator_win.cc(1399)]
DXVAVDA fatal error: could not LoadLibrary: mfplat.dll: The
specified module could not be found. (0x7E)
[1568:5924:1204/204551.986:ERROR:dxva_video_decode_accelerator_win.cc(1399)]
DXVAVDA fatal error: could not LoadLibrary: msmpeg2vdec.dll: The
specified module could not be found. (0x7E)
[1568:5924:1204/204551.986:ERROR:dxva_video_decode_accelerator_win.cc(1407)]
DXVAVDA fatal error: could not LoadLibrary: msvproc.dll: The
specified module could not be found. (0x7E)
This seems to happen on Windows 10 N only, where the Windows Media
features (and thus probably DLLs) are missing.
See https://github.com/microsoft/playwright/issues/2901
(cherry picked from commit 2e65f731b1b615b5cd60417c00b6993c2295e9f8)
|
|
(cherry picked from commit 1dea8ace642ef8c3c8948168cbab7c12138ad24e)
|
|
|
|
(cherry picked from commit 3e7cd06060a1efe1da4371f045bdaa6c9f57e899)
|
|
|
|
|
|
|
|
|
|
See https://github.com/pypa/setuptools/issues/2466
(cherry picked from commit 822bfec3b47f10fe8c9a319d0b0b154adf83abb3)
|
|
|
|
(cherry picked from commit 77d5a08b917793e975b198206b44ffae021721e6)
|
|
Looks like :jseval is somehow special on QtWebKit...
(cherry picked from commit a88a48b516fe6444fef63aa8ea6c380f3566bc68)
|
|
See #5810 and #5813
(cherry picked from commit 04963c1beee371ff3cddea7e0027dfdb82e1a988)
|
|
(cherry picked from commit 226df4558b7cc88ee231bca610eeace24d00cc01)
|
|
|
|
(cherry picked from commit 199186f62cf16e4f7f3081c649b5f07dfb2c7f4d)
|
|
(cherry picked from commit 40a1772fdea98fc1ecc168a5f75aa296cb7fdf5e)
This isn't what #5813 actually ended up as, but is an earlier, less
intrusive version of the same change, which is what I'm going with for
v1.14.1.
|
|
(cherry picked from commit 296c5e1dc4e1ba86841b8cb7c3ea106975b67981)
|
|
|
|
(cherry picked from commit 6d189951eaa60d77d2bf894a7e20b303d3699f8c)
|
|
|
|
While there's no actual "bad" changes in Qt 5.15.1/.2 outside of
QtWebEngine, many of our version checks still check for the qtbase
rather than the qtwebengine version.
See #3785
(cherry picked from commit fc33bd043da25298b18978dea8c0f9cc78833979)
|
|
|
|
(cherry picked from commit 86d871038034fe1a627241741e39eceecb12614c)
|
|
Turns out Qt 5.15.{0,1} also needs `--force-dark-mode`. This commit
fixes it to only use the blink-setting on Qt 5.15.2 and up. It also
parameterizes the tests better to test that the settings work on their
respective Qt versions.
(cherry picked from commit 1f67527662a076aa0a3caf5348f9ba6b663f4a0e)
|
|
Took @The-Compiler's suggestions and removed unnecessary cruft from the
colorscheme invocation test.
(cherry picked from commit 6d01062305e554f3d0e8989f0ba45c998c425ef1)
|
|
With the addition of blink-settings for ensuring the correct color
scheme, this test makes sure the browser is obeying it via a media
match query through javascript. Any HTML page will do, so
`qute://version` is opened and tested against.
(cherry picked from commit 6feaeb247921de22318a7cc18251260ad1adbb86)
|
|
On Qt 5.15+, `--force-dark-mode` does not set the preferred colorscheme.
A blink-setting is used instead to set the preferred colorscheme.
The `--force-dark-mode` flag is only set for Qt 5.14. All later versions
will use the blink-setting flag.
(cherry picked from commit 314c81b24eb9f9457ccdb5c682d718cf24f24a76)
# Conflicts:
# qutebrowser/browser/webengine/darkmode.py
# tests/unit/browser/webengine/test_darkmode.py
|
|
|
|
|
|
(cherry picked from commit 872e439cd922e798a8489bfdc7c6d4cb4ca9d8bc)
|
|
(cherry picked from commit 627402887215665be1d57408156e64442f6ac17a)
(cherry picked from commit 9774208b63bb00e169376c25c68983beae6709e9)
|
|
We test Qt 5.15.2, but that's based on a newer Chromium version:
Qt 5.14.x -> Chromium 77
Qt 5.15.0 -> Chromium 80
Qt 5.15.2 -> Chromium 83
Some behavior changes between Chromium versions (see e.g. #5915), so it
makes sense to test both.
Picking 5.15.0 rather than .1 due to renderer process crashes in
5.15.1 (#5721). Doesn't matter much on the CI as we don't use WebRTC,
but if someone wants to downgrade with mkvenv.py for some reason, .0
will be more useful than .1.
(cherry picked from commit 64c1c03d5bdc60e6218b046567f812d6406b6779)
|
|
|
|
(cherry picked from commit 83c2e32bca05023026578ac9b64f7a5938772e9d)
|
|
|
|
Causes issues, let's keep this in master instead.
This reverts commit 5628d8309b329e686f03cf06d469fa1a5136b990.
|
|
This perhaps was required when originally added in
3466ee03f60d1f949a9e40271854806987e6a260, but doesn't seem to be needed
nowadays anymore. With cheroot 8.4.4+, it seems to break terminating of
the subprocess, see https://github.com/cherrypy/cheroot/issues/328.
(cherry picked from commit a39d2d419d9a9d5a00c8b9ca815092801f99fadc)
|
|
(cherry picked from commit 3126ce6686137ae7d9e88dfa443692693f2f77d5)
|
|
See #5752
(cherry picked from commit 5181b6084df972f2ba0484086119797797012e1f)
|
|
(cherry picked from commit cea22f18fb40cfb7ae18a46808e04b5d5df78b27)
|
|
In eade305965b68627d4313e0664979692a7025994 we originally added the
signal (as "predicted_navigation") and connected it in BrowserTab. With
eade305965b68627d4313e0664979692a7025994 we accidentally added another
connection, so it was now connected twice.
Thanks to GammaRay!
(cherry picked from commit f89718019977784cb3baf50dff4940de47653a9c)
|
|
The package on fedora is called `qt5-qtwebengine-devtools`. While a minor issue it helps
pointing users to the needed package when trying to install.
This seems to be the case for all Fedora versions at least 30 or higher:
https://pkgs.org/download/qt5-qtwebengine-devtools
(cherry picked from commit 1adcb61261bbb4f164112ac4aebee70391eb3c10)
|
|
(cherry picked from commit daadd16fb18ae73943fc2d8da3955606dd4e7147)
|
|
(cherry picked from commit b5acb7464153d7f390ff819538bed16000e34ffd)
|
|
|
|
|
|
|