| Age | Commit message (Collapse) | Author |
|---|
|
(cherry picked from commit 41b05f954882313131a75ccbc53c1e373a915d38)
|
|
On Windows, if an application is registered as an URL handler like this:
HKEY_CLASSES_ROOT
https
URL Protocol = ""
[...]
shell
open
command
(Default) = ".../qutebrowser.exe" "%1"
one would think that Windows takes care of making sure URLs can't inject
arguments by containing a quote. However, this is not the case, as
stated by the Microsoft docs:
https://docs.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/platform-apis/aa767914(v=vs.85)
Security Warning: Applications that handle URI schemes must consider how to
respond to malicious data. Because handler applications can receive data
from untrusted sources, the URI and other parameter values passed to the
application may contain malicious data that attempts to exploit the handling
application.
and
As noted above, the string that is passed to a pluggable protocol handler
might be broken across multiple parameters. Malicious parties could use
additional quote or backslash characters to pass additional command line
parameters. For this reason, pluggable protocol handlers should assume that
any parameters on the command line could come from malicious parties, and
carefully validate them. Applications that could initiate dangerous actions
based on external data must first confirm those actions with the user. In
addition, handling applications should be tested with URIs that are overly
long or contain unexpected (or undesirable) character sequences.
Indeed it's trivial to pass a command to qutebrowser this way - given how
trivial the exploit is to recreate given the information above, here's a PoC:
https:x" ":spawn calc
(or qutebrowserurl: instead of https: if qutebrowser isn't registered as a
default browser)
Some applications do escape the quote characters before calling
qutebrowser - but others, like Outlook Desktop or .url files, do not.
As a fix, we add an --untrusted-args flag and some early validation of the raw
sys.argv, before parsing any arguments or e.g. creating a QApplication (which
might already allow injecting Qt flags there).
We assume that there's no way for an attacker to inject flags *before* the %1
placeholder in the registry, and add --untrusted-args as the last argument of
the registry entry. This way, it'd still be possible for users to customize
their invocation flags without having to remove --untrusted-args.
After --untrusted-args, however, we have some rather strict checks:
- There should be zero or one arguments, but not two (or more)
- Any argument may not start with - (flag) or : (qutebrowser command)
We also add the --untrusted-args flag to the Linux .desktop file, though it
should not be needed there, as the specification there is sane:
https://specifications.freedesktop.org/desktop-entry-spec/desktop-entry-spec-latest.html#exec-variables
Implementations must take care not to expand field codes into multiple
arguments unless explicitly instructed by this specification. This means
that name fields, filenames and other replacements that can contain spaces
must be passed as a single argument to the executable program after
expansion.
There is no comparable mechanism on macOS, which opens the application without
arguments and then sends an "open" event to it:
https://doc.qt.io/qt-5/qfileopenevent.html
This issue was introduced in qutebrowser v1.7.0 which started registering it as
URL handler: baee2888907b260881d5831c68500941937261a0 / #4086
This is by no means an issue isolated to qutebrowser. Many other projects have
had similar trouble with Windows' rather unexpected behavior:
Electron / Exodus Bitcoin wallet:
- http://web.archive.org/web/20190702112128/https://medium.com/0xcc/electrons-bug-shellexecute-to-blame-cacb433d0d62
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000006
- https://medium.com/hackernoon/exploiting-electron-rce-in-exodus-wallet-d9e6db13c374
IE/Firefox:
- https://bugzilla.mozilla.org/show_bug.cgi?id=384384
- https://bugzilla.mozilla.org/show_bug.cgi?id=1572838
Others:
- http://web.archive.org/web/20210930203632/https://www.vdoo.com/blog/exploiting-custom-protocol-handlers-in-windows
- https://parsiya.net/blog/2021-03-17-attack-surface-analysis-part-2-custom-protocol-handlers/
- etc. etc.
See CVE-2021-41146 / GHSA-vw27-fwjf-5qxm:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41146
https://github.com/qutebrowser/qutebrowser/security/advisories/GHSA-vw27-fwjf-5qxm
Thanks to Ping Fan (Zetta) Ke of Valkyrie-X Security Research Group
(VXRL/@vxresearch) for finding and responsibly disclosing this issue.
(cherry picked from commit 8f46ba3f6dc7b18375f7aa63c48a1fe461190430)
|
|
$ .../.tox/py310/bin/python scripts/link_pyqt.py --tox .tox/py310
<string>:1: DeprecationWarning: The distutils package is deprecated and slated for removal in Python 3.12. Use setuptools or check PEP 632 for potential alternatives
<string>:1: DeprecationWarning: The distutils.sysconfig module is deprecated, use sysconfig instead
See https://bugs.python.org/issue41282
(cherry picked from commit e3e0fbc3559d9c3d08a3566f7d8bf03a23017e78)
|
|
Apple documentation claims this is for iOS/watchOS/tvOS only:
https://developer.apple.com/documentation/bundleresources/information_property_list/nsbluetoothalwaysusagedescription
However, reality tells a different story - according to Console.app, when
visiting accounts.google.com, qutebrowser/Chromium needs this permission.
Reproducible as well using the following demo page:
https://googlechrome.github.io/samples/web-bluetooth/battery-level.html
Finally, Google Chrome has the key declared as well. Note that it has
NSBluetoothPeripheralUsageDescription as well:
https://developer.apple.com/documentation/bundleresources/information_property_list/nsbluetoothperipheralusagedescription
...but that is deprecated, and according to my tests on macOS 10.14 and 10.15,
it's not needed.
Thanks to Apple for their wonderful documentation.... not.
Fixes #6475, hopefully for real this time.
|
|
(cherry picked from commit b34988055071522e72c73b0f3a0bd3a6b59c6b9a)
|
|
|
|
|
|
(cherry picked from commit 74cf64a063a12a08e8979e2145b3cf0394bf2abd)
|
|
Fixes #6489
(cherry picked from commit 9ff9fd0a0244aa8ffc2fb56cbb7ba445d75f0b9c)
|
|
(Hopefully) fixes #6394.
(cherry picked from commit a3f9cad456f69a9febb65a27510f56d0d8b2f34f)
|
|
Fixes #6489
(cherry picked from commit b4b65b8cd158aecea11e7d074d941f8c3908ab66)
|
|
(cherry picked from commit 78d4a9d41b0f435bf379ec4b06e3cbcb3d30c207)
|
|
(cherry picked from commit c74d1075620f54d8904b9ae822299ba1221450f4)
|
|
(cherry picked from commit f0d432565bf71919413caf76522d6ad34bb0ebc4)
|
|
Needed for a bugfix in the next commit.
(cherry picked from commit 505a24c580f51ac77445fc74517ddfbbf285b411)
|
|
Also needed to add encoding check support to FormatString.
(cherry picked from commit 996487c43e4fcc265b541f9eca1e7930e3c5cf05)
|
|
(cherry picked from commit 03fa9383833c6262b08a5f7c4930143e39327173)
|
|
(cherry picked from commit 33596cfa4abb70df87551600d4c1eeb79a27c106)
|
|
(cherry picked from commit 380de52c9371fa527d43ac98a16294f171442855)
|
|
(cherry picked from commit 1394bd9b13e06a99f01665afe81e7058ba7a6126)
|
|
We need to check for the QtWebEngine version, not for the version of Qt.
Additionally, there's no need to re-check in DBusNotificationAdapter.__init__ as
it never gets instantiated on older versions, so it's now an assertion instead.
(cherry picked from commit f8c2b0a7e7b7251a5ff5bf475802702c1953a266)
|
|
We need to set XDG_RUNTIME_DIR properly in the tests so that the log is empty.
(cherry picked from commit 1830f784df18057f5e07a59256cc73b5fea91a86)
|
|
Fixes #6482
(cherry picked from commit 40477e826c9ec73a8f99177df645094be3ef5ed3)
|
|
(cherry picked from commit f2e322c5814b34d5263de4cf51e5a072d4ee020d)
|
|
(cherry picked from commit b366911d0af5148661357259883f8546e03b5d08)
|
|
(cherry picked from commit 7961cf73553847ea265a388b736fffac77dae66a)
|
|
(cherry picked from commit 92178e8152e681fac4d95382978e9391b5ca66d5)
|
|
Fixes #6475
(cherry picked from commit bae08ae3860997bc19e9c41b9c9301a56aaeb202)
|
|
|
|
|
|
assertions are disabled
(cherry picked from commit 502832ac1989858fe98bd8b874ff92e6404180ad)
|
|
2c4bb064e introduced support for showing bindings in the completion menu
for commands initiated with set-cmd-text. This would crash if given a
binding for just 'set-cmd-text' with no args.
Fixes #6453.
(cherry picked from commit a36efcf6b5b08666c2a65f8d2eef90eaba832fe6)
|
|
See #6464, #5472, #4805, #4810
e010afd3a20a86639396a9c844abfea7b23cc67a
https://bugreports.qt.io/browse/QTBUG-69652
(cherry picked from commit 8e617d010a5cd305ff42191ea6458a2d003b6d46)
|
|
See https://bugreports.qt.io/browse/QTBUG-93744
(cherry picked from commit b03b03bdf6e02e13b348689bf7b18196432f232b)
Additional fixups:
Store initial QtWebEngine version
(cherry picked from commit 948fd5040d81228452fd72a0170a0d8fe35839a9)
Fix state config unit tests
(cherry picked from commit 335ed484c1f8b6e5417d9000ae226b4f9a85b28f)
Fix running without QtWebEngine
(cherry picked from commit 57ed85ffad3278d159d1ebd03081a5e719b952cb)
Remove unused imports
(cherry picked from commit 9e52ad621ac44d0391c2c6d9dbdda967f7ce95f0)
Fix tests without QtWebEngine
(cherry picked from commit ac12fcd714c699f927170b3d0508336940366bac)
|
|
(cherry picked from commit 63b8269f5caed26474141254859cf5dcba9209d3)
|
|
|
|
|
|
(cherry picked from commit 9aa8740ec95e147116ec7d868ac2f3bb2e8259be)
|
|
(cherry picked from commit 4751890acbf3b98f93386649f2d393b5c4e3cf91)
|
|
Closes #6430
(cherry picked from commit 8023b8c8fe6cfb13e4a561c87177744612bb42f9)
|
|
See https://github.com/NixOS/nixpkgs/pull/119376#issuecomment-820073044
(cherry picked from commit febb921040b6670d9b1694a6ce55ae39384d1306)
|
|
(cherry picked from commit 32604a6651813e25ee6d328c880ef95f76c9c744)
|
|
(cherry picked from commit b04f99bcfce00c72fe7b8e59d76012141a8cb02d)
|
|
(cherry picked from commit 38c5eba3e1e07448a3c1fd082dc418e916c13dc2)
|
|
documentation more uniform.
(cherry picked from commit a083728168e3c126b8b6a67aa3d4d03845da8a46)
|
|
Closes #4379
(cherry picked from commit be37524f47bcb78a319eae4e1d61794dfec6cc36)
|
|
This reverts commit 1e5184bc71f0209744bc93287b4c9bdc172bc5a0.
|
|
See https://codereview.qt-project.org/c/qt/qtwebengine/+/344042
(cherry picked from commit 2e4ca779c68a65034fcd4448fa8c0952ed3f0a1d)
|
|
(cherry picked from commit 0ee169e497de97d13bbd1b0c50e11bd452d5d25f)
|
|
Fixes #6407
(cherry picked from commit c7b3559d820ebdc8b3077fce3d782e6ab81cb732)
|
