| Age | Commit message (Collapse) | Author |
|---|
|
(cherry picked from commit 41b05f954882313131a75ccbc53c1e373a915d38)
|
|
On Windows, if an application is registered as an URL handler like this:
HKEY_CLASSES_ROOT
https
URL Protocol = ""
[...]
shell
open
command
(Default) = ".../qutebrowser.exe" "%1"
one would think that Windows takes care of making sure URLs can't inject
arguments by containing a quote. However, this is not the case, as
stated by the Microsoft docs:
https://docs.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/platform-apis/aa767914(v=vs.85)
Security Warning: Applications that handle URI schemes must consider how to
respond to malicious data. Because handler applications can receive data
from untrusted sources, the URI and other parameter values passed to the
application may contain malicious data that attempts to exploit the handling
application.
and
As noted above, the string that is passed to a pluggable protocol handler
might be broken across multiple parameters. Malicious parties could use
additional quote or backslash characters to pass additional command line
parameters. For this reason, pluggable protocol handlers should assume that
any parameters on the command line could come from malicious parties, and
carefully validate them. Applications that could initiate dangerous actions
based on external data must first confirm those actions with the user. In
addition, handling applications should be tested with URIs that are overly
long or contain unexpected (or undesirable) character sequences.
Indeed it's trivial to pass a command to qutebrowser this way - given how
trivial the exploit is to recreate given the information above, here's a PoC:
https:x" ":spawn calc
(or qutebrowserurl: instead of https: if qutebrowser isn't registered as a
default browser)
Some applications do escape the quote characters before calling
qutebrowser - but others, like Outlook Desktop or .url files, do not.
As a fix, we add an --untrusted-args flag and some early validation of the raw
sys.argv, before parsing any arguments or e.g. creating a QApplication (which
might already allow injecting Qt flags there).
We assume that there's no way for an attacker to inject flags *before* the %1
placeholder in the registry, and add --untrusted-args as the last argument of
the registry entry. This way, it'd still be possible for users to customize
their invocation flags without having to remove --untrusted-args.
After --untrusted-args, however, we have some rather strict checks:
- There should be zero or one arguments, but not two (or more)
- Any argument may not start with - (flag) or : (qutebrowser command)
We also add the --untrusted-args flag to the Linux .desktop file, though it
should not be needed there, as the specification there is sane:
https://specifications.freedesktop.org/desktop-entry-spec/desktop-entry-spec-latest.html#exec-variables
Implementations must take care not to expand field codes into multiple
arguments unless explicitly instructed by this specification. This means
that name fields, filenames and other replacements that can contain spaces
must be passed as a single argument to the executable program after
expansion.
There is no comparable mechanism on macOS, which opens the application without
arguments and then sends an "open" event to it:
https://doc.qt.io/qt-5/qfileopenevent.html
This issue was introduced in qutebrowser v1.7.0 which started registering it as
URL handler: baee2888907b260881d5831c68500941937261a0 / #4086
This is by no means an issue isolated to qutebrowser. Many other projects have
had similar trouble with Windows' rather unexpected behavior:
Electron / Exodus Bitcoin wallet:
- http://web.archive.org/web/20190702112128/https://medium.com/0xcc/electrons-bug-shellexecute-to-blame-cacb433d0d62
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000006
- https://medium.com/hackernoon/exploiting-electron-rce-in-exodus-wallet-d9e6db13c374
IE/Firefox:
- https://bugzilla.mozilla.org/show_bug.cgi?id=384384
- https://bugzilla.mozilla.org/show_bug.cgi?id=1572838
Others:
- http://web.archive.org/web/20210930203632/https://www.vdoo.com/blog/exploiting-custom-protocol-handlers-in-windows
- https://parsiya.net/blog/2021-03-17-attack-surface-analysis-part-2-custom-protocol-handlers/
- etc. etc.
See CVE-2021-41146 / GHSA-vw27-fwjf-5qxm:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41146
https://github.com/qutebrowser/qutebrowser/security/advisories/GHSA-vw27-fwjf-5qxm
Thanks to Ping Fan (Zetta) Ke of Valkyrie-X Security Research Group
(VXRL/@vxresearch) for finding and responsibly disclosing this issue.
(cherry picked from commit 8f46ba3f6dc7b18375f7aa63c48a1fe461190430)
|
|
|
|
|
|
|
|
This reverts commit 3284ec900e42b279bc3bc40593d7356ab1e3f9b0.
Not needed as most gopass versions do this when stdout is a pipe, but it
interfers with reading the username from the secret.
See the discussion in #6323 for more detail, and #5972 for the original
PR.
(cherry picked from commit 9115ea4a4bbc4858d7fa0422cff59c29699fa53a)
|
|
(cherry picked from commit c7657e65cc2eea04aee70d466b436c675707c270)
|
|
Running :adblock-update also updates ABP lists and thus tries downloading easylist.
(cherry picked from commit ac9388fb1baba17c99de9d8872c274ab6dd38854)
|
|
(cherry picked from commit c9e6aea1b41d892238635aed4f2099ec5017727c)
|
|
(cherry picked from commit 8b49d87526dd34380df6e98800ecc82367b48be1)
|
|
Vim has this, and it's almost easter, so clearly we should have it too.
Also it's from Monty Python, which makes it even more fitting.
HEAD KNIGHT: Ni!
KNIGHTS: Ni! Ni! Ni!
ARTHUR: Who are you?
HEAD KNIGHT: We are the Knights Who Say... Ni!
ARTHUR: No! Not the Knights Who Say Ni!
HEAD KNIGHT: The same!
BEDEVERE: Who are they?
HEAD KNIGHT: We are the keepers of the sacred words: Ni, Pen, and Ni-wom!
RANDOM: Ni-wom!
ARTHUR: Those who hear them seldom live to tell the tale!
HEAD KNIGHT: The Knights Who Say Ni demand a sacrifice!
ARTHUR: Knights of Ni, we are but simple travellers who seek the enchanter who lives beyond these woods.
HEAD KNIGHT: Ni! Ni! Ni! Ni!
ARTHUR and PARTY: Oh, ow!
HEAD KNIGHT: We shall say 'nee' again to you if you do not appease us.
ARTHUR: Well, what is it you want?
HEAD KNIGHT: We want... a shrubbery!
[dramatic chord]
ARTHUR: A what?
HEAD KNIGHT: Ni! Ni!
ARTHUR and PARTY: Oh, ow!
ARTHUR: Please, please! No more! We shall find a shrubbery.
HEAD KNIGHT: You must return here with a shrubbery or else you will never pass through this wood alive!
ARTHUR: O Knights of Ni, you are just and fair, and we will return with a shrubbery.
HEAD KNIGHT: One that looks nice.
ARTHUR: Of course.
HEAD KNIGHT: And not too expensive.
ARTHUR: Yes.
HEAD KNIGHTS: Now... go!
ARTHUR: Old crone! Is there anywhere in this town where we could buy a shrubbery!
[dramatic chord]
CRONE: Who sent you?
ARTHUR: The Knights Who Say Nee.
CRONE: Agh! No! Never! We have no shrubberies here.
ARTHUR: If you do not tell us where we can buy a shrubbery, my friend
and I will say... we will say... `nee'.
CRONE: Agh! Do your worst!
ARTHUR: Very well! If you will not assist us voluntarily,... Ni!
CRONE: No! Never! No shrubberies!
ARTHUR: Ni!
BEDEVERE: Noo! Noo!
ARTHUR: No, no, no, no -- it's not that, it's 'Ni'.
BEDEVERE: Noo!
ARTHUR: No, no -- 'Ni'. You're not doing it properly.
BEDEVERE: Noo! Ni!
ARTHUR: That's it, that's it, you've got it.
ARTHUR and BEDEVERE: Ni! Ni!
ROGER: Are you saying 'Ni' to that old woman?
ARTHUR: Um, yes.
ROGER: Oh, what sad times are these when passing ruffians can say `Ni' at will to old ladies. There is a pestilence upon this land, nothing is sacred. Even those who arrange and design shrubberies are under considerable economic stress at this period in history.
ARTHUR: Did you say `shrubberies'?
ROGER: Yes, shrubberies are my trade -- I am a shrubber. My name is Roger the Shrubber. I arrange, design, and sell shrubberies.
BEDEVERE: Ni!
ARTHUR: No! No, no, no! No!
ARTHUR: O, Knights of Ni, we have brought you your shrubbery. May we go now?
HEAD KNIGHT: It is a good shrubbery. I like the laurels particularly. But there is one small problem.
ARTHUR: What is that?
HEAD KNIGHT: We are now... no longer the Knights Who Say Ni.
RANDOM: Ni!
HEAD KNIGHT: Shh shh. We are now the Knights Who Say Ecky-ecky-ecky- ecky-pikang-zoom-boing-mumble-mumble.
RANDOM: Ni!
HEAD KNIGHT: Therefore, we must give you a test.
ARTHUR: What is this test, O Knights of-- Knights Who 'Til Recently Said Ni?
HEAD KNIGHT: Firstly, you must find... another shrubbery!
[dramatic chord]
ARTHUR: Not another shrubbery!
HEAD KNIGHT: Then, when you have found the shrubbery, you must place it here beside this shrubbery, only slightly higher so you get a two-level effect with a little path running down the middle.
RANDOM: A path! A path! Ni!
HEAD KNIGHT: Then, when you have found the shrubbery, you must cut down the mightiest tree in the forest... with... a herring!
[dramatic chord]
ARTHUR: We shall do no such thing!
HEAD KNIGHT: Oh, please!
ARTHUR: Cut down a tree with a herring? It can't be done.
KNIGHTS: Aaaaugh! Aaaugh!
HEAD KNIGHT: Don't say that word.
ARTHUR: What word?
HEAD KNIGHT: I cannot tell, suffice to say is one of the words the Knights of Ni cannot hear.
ARTHUR: How can we not say the word if you don't tell us what it is?
KNIGHTS: Aaaaugh! Aaaugh!
ARTHUR: What, `is'?
HEAD KNIGHT: No, not `is' -- we couldn't get vary far in life not saying `is'.
BEDEVERE: My liege, it's Sir Robin!
MINSTREL (singing): Packing it in and packing it up
And sneaking away and buggering up
And chickening out and pissing about
Yes, bravely he is throwing in the sponge
ARTHUR: Oh, Robin!
ROBIN: My liege! It's good to see you!
KNIGHTS: Aaaaugh!
HEAD KNIGHT: He said the word!
ARTHUR: Surely you've not given up your quest for the Holy Grail?
MINSTREL (singing): He is sneaking away and buggering up--
ROBIN: Shut up! No, no no-- far from it.
HEAD KNIGHT: He said the word again!
ROBIN: I was looking for it.
KNIGHTS: Aaaaugh!
ROBIN: Uh, here, here in this forest.
ARTHUR: No, it is far from--
KNIGHTS: Aaaaugh!
HEAD KNIGHT: Aaaaugh! Stop saying the word!
ARTHUR: Oh, stop it!
KNIGHTS: Aaaaugh!
HEAD KNIGHT: Oh! He said it again!
ARTHUR: Patsy!
HEAD KNIGHT: Aaugh! I said it! I said it! Ooh! I said it again!
KNIGHTS: Aaaaugh!
(cherry picked from commit 5a4b51a784b4332242191a61a24d72bca3ff60dc)
|
|
(cherry picked from commit 3b1bbc709cad66639eb7bf2285a0db2b361281e5)
|
|
(cherry picked from commit f35e284de01ac1bc6e81000063ad8b0525ac1354)
|
|
It requires some time and network access, so no need to run it as part of the automated tests.
(cherry picked from commit 545a295cf0fc318538a2355f1244cfd2df575af9)
|
|
(cherry picked from commit ed49bdd9a4c15aea9e194a5ca8a199a22ecdbd9f)
|
|
They happen with data/crashers/webrtc.html in Flatpak and are harmless.
(cherry picked from commit aea69ff3dfb572370e6b0514950043bd2be4a864)
|
|
(cherry picked from commit 40c72f849d35cde1644558792845d93e3032ea93)
|
|
(cherry picked from commit 31e655dd36156eea9039cf210c0a0f67f5f3fc87)
|
|
(cherry picked from commit 5ce8a9c9c19e2aaec591b191d3c3efebd1957fa7)
For easier backporting of changes.
|
|
This is covered by tests in master, and by pre-release checks here
|
|
(cherry picked from commit 6de2d238418ddd8d0791584635955d9882618060)
|
|
Speculatively fixes #5344
(cherry picked from commit 4a2c6c76241d6554e5fa3cfe358cfe16646728a0)
|
|
Fixup to 28bd35ed58f85f23570a9901094d550baa6bff1c
(cherry picked from commit f511f11ecdc2708c0333ec86b52c790c50f50e23)
|
|
Fixes #6337
(cherry picked from commit eee6e6180e3b75f23059909d52983572c8477f06)
|
|
Preparation for #6337
(cherry picked from commit 028e7b65692acd6269dfffcdf6632d5368efbfa9)
|
|
(cherry picked from commit 9303e6a85489775f63b5d15b7bbd3173f74764d9)
|
|
(cherry picked from commit b171f3c0f2bd52f30330843a742d4bf9600b420d)
|
|
Fixes #6321
(cherry picked from commit 5d69a21262adcaab90af50eaf8184c38e67031c5)
|
|
See https://github.com/flathub/org.qutebrowser.qutebrowser/issues/18#issuecomment-802827816
(cherry picked from commit 74c9f66752f077c4b94927c15aec801a1ab88a22)
|
|
(cherry picked from commit 3dc5584cac2a588828dbd50ba441c04ad27e6d17)
|
|
Otherwise, when e.g. doing "<Meta+Up>": "gg" in bindings.key_mappings,
there's a crash like:
Traceback (most recent call last):
File "/usr/lib/python3.9/site-packages/qutebrowser/keyinput/eventfilter.py", line 105, in eventFilter
return handler(typing.cast(QKeyEvent, event))
File "/usr/lib/python3.9/site-packages/qutebrowser/keyinput/eventfilter.py", line 75, in _handle_key_event
return man.handle_event(event)
File "/usr/lib/python3.9/site-packages/qutebrowser/keyinput/modeman.py", line 462, in handle_event
return handler(cast(QKeyEvent, event))
File "/usr/lib/python3.9/site-packages/qutebrowser/keyinput/modeman.py", line 283, in _handle_keypress
match = parser.handle(event, dry_run=dry_run)
File "/usr/lib/python3.9/site-packages/qutebrowser/keyinput/modeparsers.py", line 105, in handle
match = super().handle(e, dry_run=dry_run)
File "/usr/lib/python3.9/site-packages/qutebrowser/keyinput/basekeyparser.py", line 309, in handle
result = self._match_key_mapping(result.sequence)
File "/usr/lib/python3.9/site-packages/qutebrowser/keyinput/basekeyparser.py", line 246, in _match_key_mapping
mapped = sequence.with_mappings(
File "/usr/lib/python3.9/site-packages/qutebrowser/keyinput/keyutils.py", line 675, in with_mappings
assert len(new_seq) == 1
AssertionError
While this isn't the intended way to use this setting, we shouldn't
crash - and let's just make it work instead of forbidding it.
(cherry picked from commit 5b6d2c60b46e233d4788a9b34d15fdb7d8d1c114)
|
|
arount the OTP token is omitted
(cherry picked from commit 62ff0f0ec07fe11e1c72022970399725fbc475d2)
|
|
Otherwise, if there's a fatal error message shown during init, we try to
open something via IPC before we're fully initialized. This can e.g.
lead to a KeyError for qtnetwork-download-manager:
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/qutebrowser/app.py", line 120, in <lambda>
process_pos_args(args, cwd=cwd, via_ipc=True,
File "/usr/lib/python3/dist-packages/qutebrowser/app.py", line 230, in process_pos_args
win_id = mainwindow.get_window(via_ipc, force_window=True)
File "/usr/lib/python3/dist-packages/qutebrowser/mainwindow/mainwindow.py", line 89, in get_window
window = MainWindow(private=None)
File "/usr/lib/python3/dist-packages/qutebrowser/mainwindow/mainwindow.py", line 220, in __init__
self._init_downloadmanager()
File "/usr/lib/python3/dist-packages/qutebrowser/mainwindow/mainwindow.py", line 350, in _init_downloadmanager
qtnetwork_download_manager = objreg.get('qtnetwork-download-manager')
File "/usr/lib/python3/dist-packages/qutebrowser/utils/objreg.py", line 249, in get
return reg[name]
File "/usr/lib/python3.8/collections/__init__.py", line 1010, in __getitem__
raise KeyError(key)
KeyError: 'qtnetwork-download-manager'
(cherry picked from commit 6c0d8d59647b39ecf3292b125991522d3502db65)
|
|
(cherry picked from commit 09c848fe34bd61fca74c6191ff5e49dbbf9ae101)
|
|
(cherry picked from commit 7de06df5f4d034c50f96f0d5a241d5e222cb5d2a)
|
|
Paths are different on macOS/Windows
(cherry picked from commit 069743e98d3dd18954298b7a10b55c5156a8d765)
|
|
(cherry picked from commit 6a65ff1ad07911d2ee23a1c6360d2bebdc305b33)
|
|
Alternative to c07b93b7c40aef496e8e0a298e4fbafedf4ee8d0
|
|
See #6300
(cherry picked from commit ca8c3205857bf81a06f8f36aae999303281412e2, but
adjusted for this branch)
|
|
Fixes #6302
(cherry picked from commit 254b21f3ecc43d4d844e6ded55378673b913b5c8)
|
|
See #6300
Independent from the implementation on master, due to the circular
import workaround.
|
|
joinpath is still useful with a list of args
(cherry picked from commit ed20af9828f609449afdf64dacf152da5924f6cb)
|
|
(cherry picked from commit ff341513afa1dad95ea71b52d654bb32512a8042)
|
|
For some reason, a recent change on GitHub's runners seems to explicitly
set XDG_CONFIG_HOME. That breaks our tests, however, because we can't
simply override HOME to control where the directories are created.
Thus, make sure that XDG_*_HOME is always unset.
(cherry picked from commit 23810876e408253aee8ba19082abd7f07ec7925d)
|
|
See https://github.com/flathub/org.qutebrowser.qutebrowser/issues/11
(cherry picked from commit 7ae7b6ea1a20c8379ae072eea6bd1449788852a6)
|
|
(cherry picked from commit 2a7e053495b35c6003034c63230a92b03f6d007a)
|
|
(cherry picked from commit 903e5e294301d8551c06e6f918b726a20a1d391c)
|
|
Closes #6270
(cherry picked from commit 579e70b0ab812a5195f726ad41e2d7016e54c7b5)
|
|
Fixes #6268
(cherry picked from commit 43ab61106c1da7e253161a004a99ac75b2e7bfb3)
|
|
(cherry picked from commit 54d2ca2a071d3d30266097d7c79e6b1bb82b4a95)
|
