Age | Commit message (Collapse) | Author |
|
(cherry picked from commit 41b05f954882313131a75ccbc53c1e373a915d38)
|
|
On Windows, if an application is registered as an URL handler like this:
HKEY_CLASSES_ROOT
https
URL Protocol = ""
[...]
shell
open
command
(Default) = ".../qutebrowser.exe" "%1"
one would think that Windows takes care of making sure URLs can't inject
arguments by containing a quote. However, this is not the case, as
stated by the Microsoft docs:
https://docs.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/platform-apis/aa767914(v=vs.85)
Security Warning: Applications that handle URI schemes must consider how to
respond to malicious data. Because handler applications can receive data
from untrusted sources, the URI and other parameter values passed to the
application may contain malicious data that attempts to exploit the handling
application.
and
As noted above, the string that is passed to a pluggable protocol handler
might be broken across multiple parameters. Malicious parties could use
additional quote or backslash characters to pass additional command line
parameters. For this reason, pluggable protocol handlers should assume that
any parameters on the command line could come from malicious parties, and
carefully validate them. Applications that could initiate dangerous actions
based on external data must first confirm those actions with the user. In
addition, handling applications should be tested with URIs that are overly
long or contain unexpected (or undesirable) character sequences.
Indeed it's trivial to pass a command to qutebrowser this way - given how
trivial the exploit is to recreate given the information above, here's a PoC:
https:x" ":spawn calc
(or qutebrowserurl: instead of https: if qutebrowser isn't registered as a
default browser)
Some applications do escape the quote characters before calling
qutebrowser - but others, like Outlook Desktop or .url files, do not.
As a fix, we add an --untrusted-args flag and some early validation of the raw
sys.argv, before parsing any arguments or e.g. creating a QApplication (which
might already allow injecting Qt flags there).
We assume that there's no way for an attacker to inject flags *before* the %1
placeholder in the registry, and add --untrusted-args as the last argument of
the registry entry. This way, it'd still be possible for users to customize
their invocation flags without having to remove --untrusted-args.
After --untrusted-args, however, we have some rather strict checks:
- There should be zero or one arguments, but not two (or more)
- Any argument may not start with - (flag) or : (qutebrowser command)
We also add the --untrusted-args flag to the Linux .desktop file, though it
should not be needed there, as the specification there is sane:
https://specifications.freedesktop.org/desktop-entry-spec/desktop-entry-spec-latest.html#exec-variables
Implementations must take care not to expand field codes into multiple
arguments unless explicitly instructed by this specification. This means
that name fields, filenames and other replacements that can contain spaces
must be passed as a single argument to the executable program after
expansion.
There is no comparable mechanism on macOS, which opens the application without
arguments and then sends an "open" event to it:
https://doc.qt.io/qt-5/qfileopenevent.html
This issue was introduced in qutebrowser v1.7.0 which started registering it as
URL handler: baee2888907b260881d5831c68500941937261a0 / #4086
This is by no means an issue isolated to qutebrowser. Many other projects have
had similar trouble with Windows' rather unexpected behavior:
Electron / Exodus Bitcoin wallet:
- http://web.archive.org/web/20190702112128/https://medium.com/0xcc/electrons-bug-shellexecute-to-blame-cacb433d0d62
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000006
- https://medium.com/hackernoon/exploiting-electron-rce-in-exodus-wallet-d9e6db13c374
IE/Firefox:
- https://bugzilla.mozilla.org/show_bug.cgi?id=384384
- https://bugzilla.mozilla.org/show_bug.cgi?id=1572838
Others:
- http://web.archive.org/web/20210930203632/https://www.vdoo.com/blog/exploiting-custom-protocol-handlers-in-windows
- https://parsiya.net/blog/2021-03-17-attack-surface-analysis-part-2-custom-protocol-handlers/
- etc. etc.
See CVE-2021-41146 / GHSA-vw27-fwjf-5qxm:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41146
https://github.com/qutebrowser/qutebrowser/security/advisories/GHSA-vw27-fwjf-5qxm
Thanks to Ping Fan (Zetta) Ke of Valkyrie-X Security Research Group
(VXRL/@vxresearch) for finding and responsibly disclosing this issue.
(cherry picked from commit 8f46ba3f6dc7b18375f7aa63c48a1fe461190430)
|
|
|
|
|
|
This reverts commit e2c5fe6262564d9d85806bfa9d4486a411cf5045.
See https://mail.python.org/archives/list/python-dev@python.org/thread/ZMC67QA2JVQJSWSFWRS6IM6ZX4EK277G/#LSTMFAPSPD3BGZ4D6HQFODXZVB3PLYKF
(cherry picked from commit 204721836133485efb1acba6d2795193788f9eda)
|
|
(cherry picked from commit 52d551875dba74b63b322a07baa4aeac4da865eb)
|
|
(cherry picked from commit 676c9db2fe9833e52b12f723c3ed62a38759f82d)
|
|
(cherry picked from commit 0001d4fe20a4cdef9dd628fad220e09a03618932)
|
|
Looks like the Edge one doesn't work anymore.
Reverts db13e5283e2d20e83d348f15ea0f46c92e9f3e29 and reintroduces the Firefox UA
removed in e010afd3a20a86639396a9c844abfea7b23cc67a (but updated).
Closes #5182.
(cherry picked from commit 32c78dc7dbbaa42f69ab3bcec13abdbd6f33087d)
|
|
Closes #6592
(cherry picked from commit cc8e67962bae163eac80fe20e753aa90491bc6da)
|
|
(cherry picked from commit 4c479bb4ab9a25276ea9045c99b690dc925dd345)
|
|
See https://github.com/ArniDagur/python-adblock/issues/44
(cherry picked from commit 6dd402c0d0f7665d32a74c43c5b4cf5dc8aff28d)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Supersedes #6441
|
|
|
|
Closes #6559
|
|
$ .../.tox/py310/bin/python scripts/link_pyqt.py --tox .tox/py310
<string>:1: DeprecationWarning: The distutils package is deprecated and slated for removal in Python 3.12. Use setuptools or check PEP 632 for potential alternatives
<string>:1: DeprecationWarning: The distutils.sysconfig module is deprecated, use sysconfig instead
See https://bugs.python.org/issue41282
|
|
See #6555
|
|
Update dependencies
|
|
|
|
|
|
|
|
|
|
|
|
If we're not waiting for the async INSERT in the SQL database, it can happen
that :debug-dump-history gets called before the history entry was addeded to the
actual database.
See #5390
|
|
Apple documentation claims this is for iOS/watchOS/tvOS only:
https://developer.apple.com/documentation/bundleresources/information_property_list/nsbluetoothalwaysusagedescription
However, reality tells a different story - according to Console.app, when
visiting accounts.google.com, qutebrowser/Chromium needs this permission.
Reproducible as well using the following demo page:
https://googlechrome.github.io/samples/web-bluetooth/battery-level.html
Finally, Google Chrome has the key declared as well. Note that it has
NSBluetoothPeripheralUsageDescription as well:
https://developer.apple.com/documentation/bundleresources/information_property_list/nsbluetoothperipheralusagedescription
...but that is deprecated, and according to my tests on macOS 10.14 and 10.15,
it's not needed.
Thanks to Apple for their wonderful documentation.... not.
Fixes #6475, hopefully for real this time.
|
|
|
|
See http://mypy-lang.blogspot.com/2021/05/the-upcoming-switch-to-modular-typeshed.html
|
|
|
|
|
|
|
|
|
|
Fixes #6353
|
|
|
|
This is already done in GreasemonkeyScript.__init__.
|
|
|
|
|
|
See #6530
|
|
Closes #6530
|
|
We don't need to check the log inside the test, as the quteproc fixture does
that for us anyways.
Also, looks like a new harmless message turned up.
|
|
|
|
|
|
|
|
|