Age | Commit message (Collapse) | Author |
|
Closes #6885
(cherry picked from commit 5d9dfc3b47ee740b016315e81358890e652070e4)
|
|
See https://github.com/koalaman/shellcheck/wiki/SC2295
(cherry picked from commit fa806ad667c37a36323de5effe342364c2e75ddd)
|
|
(cherry picked from commit d43529e2766eedb931d1c95c97323fed58cb7cce)
|
|
(cherry picked from commit be5e8abc5a3354f92ba593d5700376b22410faa1)
|
|
(cherry picked from commit 3686b958b210cb46f757603e5dee7d7ae6b21a72)
|
|
(cherry picked from commit ce070a23a91d79d38ba01fc8f279db7488ffbb89)
|
|
Speculative fix for issue reported by a macOS user: https://crashes.qutebrowser.org/lists?search=NullWriter
See https://github.com/pyinstaller/pyinstaller/issues/4481
(cherry picked from commit ed5af1fcd2b37f12a424e5d5d9b4e57ac331fe2a)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
This reverts commit a0bfb7c824900881f01c53204d9e8cd0b5b78f53.
It *is* required, just used the wrong path...
gg
|
|
|
|
|
|
|
|
Seems to be fixed in PyInstaller 4.4? See #6611.
|
|
See #6611
|
|
|
|
|
|
|
|
|
|
This was originally intended as a fix for CVE-2021-41146, but it turned out the
same exploit works via e.g. https:// just as well. Still, it makes sense to
remove it.
|
|
On Windows, if an application is registered as an URL handler like this:
HKEY_CLASSES_ROOT
https
URL Protocol = ""
[...]
shell
open
command
(Default) = ".../qutebrowser.exe" "%1"
one would think that Windows takes care of making sure URLs can't inject
arguments by containing a quote. However, this is not the case, as
stated by the Microsoft docs:
https://docs.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/platform-apis/aa767914(v=vs.85)
Security Warning: Applications that handle URI schemes must consider how to
respond to malicious data. Because handler applications can receive data
from untrusted sources, the URI and other parameter values passed to the
application may contain malicious data that attempts to exploit the handling
application.
and
As noted above, the string that is passed to a pluggable protocol handler
might be broken across multiple parameters. Malicious parties could use
additional quote or backslash characters to pass additional command line
parameters. For this reason, pluggable protocol handlers should assume that
any parameters on the command line could come from malicious parties, and
carefully validate them. Applications that could initiate dangerous actions
based on external data must first confirm those actions with the user. In
addition, handling applications should be tested with URIs that are overly
long or contain unexpected (or undesirable) character sequences.
Indeed it's trivial to pass a command to qutebrowser this way - given how
trivial the exploit is to recreate given the information above, here's a PoC:
https:x" ":spawn calc
(or qutebrowserurl: instead of https: if qutebrowser isn't registered as a
default browser)
Some applications do escape the quote characters before calling
qutebrowser - but others, like Outlook Desktop or .url files, do not.
As a fix, we add an --untrusted-args flag and some early validation of the raw
sys.argv, before parsing any arguments or e.g. creating a QApplication (which
might already allow injecting Qt flags there).
We assume that there's no way for an attacker to inject flags *before* the %1
placeholder in the registry, and add --untrusted-args as the last argument of
the registry entry. This way, it'd still be possible for users to customize
their invocation flags without having to remove --untrusted-args.
After --untrusted-args, however, we have some rather strict checks:
- There should be zero or one arguments, but not two (or more)
- Any argument may not start with - (flag) or : (qutebrowser command)
We also add the --untrusted-args flag to the Linux .desktop file, though it
should not be needed there, as the specification there is sane:
https://specifications.freedesktop.org/desktop-entry-spec/desktop-entry-spec-latest.html#exec-variables
Implementations must take care not to expand field codes into multiple
arguments unless explicitly instructed by this specification. This means
that name fields, filenames and other replacements that can contain spaces
must be passed as a single argument to the executable program after
expansion.
There is no comparable mechanism on macOS, which opens the application without
arguments and then sends an "open" event to it:
https://doc.qt.io/qt-5/qfileopenevent.html
This issue was introduced in qutebrowser v1.7.0 which started registering it as
URL handler: baee2888907b260881d5831c68500941937261a0 / #4086
This is by no means an issue isolated to qutebrowser. Many other projects have
had similar trouble with Windows' rather unexpected behavior:
Electron / Exodus Bitcoin wallet:
- http://web.archive.org/web/20190702112128/https://medium.com/0xcc/electrons-bug-shellexecute-to-blame-cacb433d0d62
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000006
- https://medium.com/hackernoon/exploiting-electron-rce-in-exodus-wallet-d9e6db13c374
IE/Firefox:
- https://bugzilla.mozilla.org/show_bug.cgi?id=384384
- https://bugzilla.mozilla.org/show_bug.cgi?id=1572838
Others:
- http://web.archive.org/web/20210930203632/https://www.vdoo.com/blog/exploiting-custom-protocol-handlers-in-windows
- https://parsiya.net/blog/2021-03-17-attack-surface-analysis-part-2-custom-protocol-handlers/
- etc. etc.
See CVE-2021-41146 / GHSA-vw27-fwjf-5qxm:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41146
https://github.com/qutebrowser/qutebrowser/security/advisories/GHSA-vw27-fwjf-5qxm
Thanks to Ping Fan (Zetta) Ke of Valkyrie-X Security Research Group
(VXRL/@vxresearch) for finding and responsibly disclosing this issue.
|
|
|
|
|
|
Update dependencies
|
|
|
|
|
|
|
|
|
|
Update dependencies
|
|
|
|
|
|
See https://github.com/pytest-dev/pytest-bdd/issues/447
|
|
Add userscript bitwarden-rofi to the list of userscripts
|
|
|
|
Fix a couple of minor mistakes
|
|
|
|
Update dependencies
|
|
|
|
(partially cherry picked from commit 957c8bc3125dff1698f7de6163c115f221e600cf)
|
|
Based on the Greasemonkey implementation:
https://github.com/greasemonkey/greasemonkey/blob/4.11/src/bg/api-provider-source.js#L232-L249
Needed by e.g. this script to work at all:
https://greasyfork.org/en/scripts/394820-mouseover-popup-image-viewer
(cherry picked from commit 1bea82698153ba3e20529e010bc3f254b9904231)
|
|
Closes #6705
|
|
Update dependencies
|
|
|
|
This reverts commit 41febf947555ce2e91790c8dc1e4f4c222b00952.
diff_cover now requires pluggy >=1.0.0.
|