Age | Commit message (Collapse) | Author |
|
(cherry picked from commit 41b05f954882313131a75ccbc53c1e373a915d38)
|
|
On Windows, if an application is registered as an URL handler like this:
HKEY_CLASSES_ROOT
https
URL Protocol = ""
[...]
shell
open
command
(Default) = ".../qutebrowser.exe" "%1"
one would think that Windows takes care of making sure URLs can't inject
arguments by containing a quote. However, this is not the case, as
stated by the Microsoft docs:
https://docs.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/platform-apis/aa767914(v=vs.85)
Security Warning: Applications that handle URI schemes must consider how to
respond to malicious data. Because handler applications can receive data
from untrusted sources, the URI and other parameter values passed to the
application may contain malicious data that attempts to exploit the handling
application.
and
As noted above, the string that is passed to a pluggable protocol handler
might be broken across multiple parameters. Malicious parties could use
additional quote or backslash characters to pass additional command line
parameters. For this reason, pluggable protocol handlers should assume that
any parameters on the command line could come from malicious parties, and
carefully validate them. Applications that could initiate dangerous actions
based on external data must first confirm those actions with the user. In
addition, handling applications should be tested with URIs that are overly
long or contain unexpected (or undesirable) character sequences.
Indeed it's trivial to pass a command to qutebrowser this way - given how
trivial the exploit is to recreate given the information above, here's a PoC:
https:x" ":spawn calc
(or qutebrowserurl: instead of https: if qutebrowser isn't registered as a
default browser)
Some applications do escape the quote characters before calling
qutebrowser - but others, like Outlook Desktop or .url files, do not.
As a fix, we add an --untrusted-args flag and some early validation of the raw
sys.argv, before parsing any arguments or e.g. creating a QApplication (which
might already allow injecting Qt flags there).
We assume that there's no way for an attacker to inject flags *before* the %1
placeholder in the registry, and add --untrusted-args as the last argument of
the registry entry. This way, it'd still be possible for users to customize
their invocation flags without having to remove --untrusted-args.
After --untrusted-args, however, we have some rather strict checks:
- There should be zero or one arguments, but not two (or more)
- Any argument may not start with - (flag) or : (qutebrowser command)
We also add the --untrusted-args flag to the Linux .desktop file, though it
should not be needed there, as the specification there is sane:
https://specifications.freedesktop.org/desktop-entry-spec/desktop-entry-spec-latest.html#exec-variables
Implementations must take care not to expand field codes into multiple
arguments unless explicitly instructed by this specification. This means
that name fields, filenames and other replacements that can contain spaces
must be passed as a single argument to the executable program after
expansion.
There is no comparable mechanism on macOS, which opens the application without
arguments and then sends an "open" event to it:
https://doc.qt.io/qt-5/qfileopenevent.html
This issue was introduced in qutebrowser v1.7.0 which started registering it as
URL handler: baee2888907b260881d5831c68500941937261a0 / #4086
This is by no means an issue isolated to qutebrowser. Many other projects have
had similar trouble with Windows' rather unexpected behavior:
Electron / Exodus Bitcoin wallet:
- http://web.archive.org/web/20190702112128/https://medium.com/0xcc/electrons-bug-shellexecute-to-blame-cacb433d0d62
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000006
- https://medium.com/hackernoon/exploiting-electron-rce-in-exodus-wallet-d9e6db13c374
IE/Firefox:
- https://bugzilla.mozilla.org/show_bug.cgi?id=384384
- https://bugzilla.mozilla.org/show_bug.cgi?id=1572838
Others:
- http://web.archive.org/web/20210930203632/https://www.vdoo.com/blog/exploiting-custom-protocol-handlers-in-windows
- https://parsiya.net/blog/2021-03-17-attack-surface-analysis-part-2-custom-protocol-handlers/
- etc. etc.
See CVE-2021-41146 / GHSA-vw27-fwjf-5qxm:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41146
https://github.com/qutebrowser/qutebrowser/security/advisories/GHSA-vw27-fwjf-5qxm
Thanks to Ping Fan (Zetta) Ke of Valkyrie-X Security Research Group
(VXRL/@vxresearch) for finding and responsibly disclosing this issue.
(cherry picked from commit 8f46ba3f6dc7b18375f7aa63c48a1fe461190430)
# Conflicts:
# qutebrowser/qutebrowser.py
# tests/unit/test_qutebrowser.py
|
|
(cherry picked from commit ee9f3fc7cbfd976b3d9ca467322ebfdf7ed7e6a7)
# Conflicts:
# misc/requirements/requirements-pylint.txt
|
|
This should help with virus scanner false positives.
See https://github.com/pyinstaller/pyinstaller/issues/5579
Fixes #6081
Fixes #6194
(cherry picked from commit 2b9108113d93284cbb84879dbf3d768abe513056)
|
|
|
|
|
|
If we are e.g. loading a secondary file via config.source() before
config.load_autoconfig(False) has been called in the main one, we don't
care about the warning. Neither should :config-source fail if we started
with the warning for the main config.
Fixes #6099
|
|
Fixes #6091
(cherry picked from commit 7bfd62ed0d087a54ab8746674ced3d66d5e650c5)
|
|
(cherry picked from commit 985c711e49d9503e52964766fceda78802aae656)
|
|
When using open_url_in_instance.sh, it runs qutebrowser passing a single
empty argument to it. This doesn't properly open a new window, but opens
a window without any tabs instead. Interacting with that will then lead
to a RegistryUnavailableError.
We now special-case that behavior, though there might be a more involved
proper fix for "" handling needed at a later point.
Fixes #6122
(cherry picked from commit e42e1230a10823d1fb94db6075d0cdfbff612c06)
|
|
(cherry picked from commit 90b598282b9777164cfaf44bd717c499d1067194)
|
|
|
|
- Re-add the force_rebuild key which we need internally again. This
partially reverts changes from:
* cd0000f728459f208c4cf69f29b603fbcab6ffb4
* 1a9b59fcfa73d1505834d8461ee166f07fb201cd
* 93ecd8f72f108743948f0d1881055ff2337058ec
- Instead of checking self.completion to figure out whether we need to
rebuild anything, check 'self' (i.e. the History table, not the
CompletionHistory table). If something went wrong during the last
rebuild, the CompletionHistory might still be empty, but History is what
actually matters to figure out whether to rebuild.
- Set force_rebuild while rebuilding the history, so that a possible
interruption of the process (e.g. by a killed process or crash)
results in another rebuild from scratch.
- Bump up the user version again, so that we re-add force_rebuild to the
database. This also forces another rebuild which helps with possible
inconsistent data when someone interrupted the earlier rebuild for
v2.0.0.
Fixes #6111
(cherry picked from commit 2b47bd01dbc15a02911989a190e2ef956aeedf27)
|
|
(cherry picked from commit 0b0a35494a20763c9b14736e2cf5efac88e11ce8)
|
|
When initially creating a new profile, we want to set its cookie policy
properly. This fixes a regression introduced in 2c81271 / 5782123.
Fixes #6120
(cherry picked from commit 3a0e411210158b0ea589a50c6581127beaaa95ce)
|
|
(cherry picked from commit b4b22b765e8143754a2f6023e437b7d10c915cc0)
|
|
|
|
Even if the stdlib importlib.resources is available there, we require
the backport (due to the .files API).
(cherry picked from commit e0af2a23707b3fc4822fb97fb93383e60476ffe0)
|
|
I thought about implementing recursive globbing for preloading, but that
would also potentially preload things we don't necessarily need
preloaded, such as html/doc/*.html.
Fixes #6098
(cherry picked from commit 62c71975a2a1d270d77c283fb6d912be50cb929b)
|
|
According to upstream, sip should be packaged as PyQt5.sip ever since
PyQt 5.11:
https://www.riverbankcomputing.com/static/Docs/PyQt5/incompatibilities.html#pyqt-v5-11
Since support for PyQt 5.11 was dropped for v2.0.0, importing from the
old name was dropped in bff1b2a7d063f9093a50c8ed3ed94b777735e5d7 as
well.
However, some distributions (Ubuntu 20.04, most likely Debian, Guix,
perhaps others?) package newer versions of PyQt5 while still using the
old global "sip" package.
Thus, this restores the (trivial) compatibility layer.
Fixes #6082
(cherry picked from commit 41087d3adf42c48ef08f5851af43b26809753c4c)
|
|
Fixes #6083
(cherry picked from commit 0e0369397c3bf23c7d8b753399fe6995fbac3ee6)
|
|
When importlib.resources (or the importlib_resources backport) uses
zipfile.Path in the Python 3.8/3.9 stdlib (rather than the zipp
backport), we get KeyError rather than a FileNotFoundError if a resource
does not exist. See https://bugs.python.org/issue43063.
We work around this by re-raising a KeyError as FileNotFoundError.
Fixes #6086
(cherry picked from commit 9313523ae144f350ce5c930e735ba9257c34067e)
|
|
(cherry picked from commit 9a5fe232cd2c59128141261435c4b3ff7fd9be43)
|
|
This is a regression introduced in
68b81511e5a0228cd37b2907065fd6d96aa7876f.
See #1078
Fixes #6087
(cherry picked from commit d832ce5f8de04ba94eb11738619a384c796ad300)
|
|
|
|
(cherry picked from commit 49291560ff51b6ec7b52d122a71bbf81052a690f)
|
|
(cherry picked from commit a5c53a307a37fef6f91fe0689bc1620736a4a92c)
|
|
The _possibly_show_missing_dependency_warning() is only shown if the
"adblock" import is unavailable (i.e. None), thus we assumed that it
must be either not installed or outdated.
However, there's a third possible case: The library wasn't available at
import time, but it *is* available when the setting changed at runtime.
If that's the case, show a warning instead of an AssertionError.
(cherry picked from commit d2f0cad2c7610b62c24648db5efdfa2c7410637f)
|
|
|
|
See #6080
|
|
See #6065
(cherry picked from commit 38fec3726fc0aa518a3637574f7e3e0029df41d4)
|
|
It was switched to bash in 22e4a800a1c6080d29d41eeda229bc67b7bf314b for
"-o pipefail", but doesn't actually use pipes, so we might as well
switch it back to sh again.
(cherry picked from commit aa333512a12c42c86e3c76faf1f5606426f454f1)
|
|
It looks like some setups (and even packages, apparently?!) still ship
adblock.py despite it not being a part of the release.
This then causes a NoOptionError because adblock.py tries to access
content.host_blocking which doesn't exist anymore.
Likely this will resolve over time - but until that's the case, let's
just explicitly block that component even if it exists.
(cherry picked from commit f5a409aa9f0b59f3bbb3e23bcf84e4a05c829858)
|
|
When qutebrowser is installed as an .egg (like can happen with setup.py
install), importlib.resources.files(...) can return a zipfile.Path in
place of a pathlib.Path.
Unfortunately, those path objects don't support .glob(), nor do they
support things like .relative_to() or .as_posix(). Thus, if that's the
case, we need to implement our own poor globbing based on
.iterdir() (which they *do* support).
(cherry picked from commit 54bcdc1eefa86cc20790973d6997b60c3bba884c)
|
|
(cherry picked from commit 5ac9e3c23d93936df091bca6057b2f6adc3aeb2a)
|
|
(cherry picked from commit d3b8b525b71a4ee24244e5f4fa0ab91631712abd)
|
|
(cherry picked from commit d48b455d776112d2a52b800a6b451fe3834464af)
|
|
|
|
|
|
Update dependencies
|
|
|
|
|
|
|
|
See #6050
|
|
|
|
|
|
|
|
|
|
|
|
|