Move QuteSchemeHandler._check_initiator to its own method

2018-09-07 12:24:11 +02:00 · 2018-09-07 12:24:11 +02:00 · 15c547b3f5
commit 15c547b3f5
parent 5ca911bcdb
1 changed files with 29 additions and 15 deletions
--- a/qutebrowser/browser/webengine/webenginequtescheme.py
+++ b/qutebrowser/browser/webengine/webenginequtescheme.py
@ -39,6 +39,33 @@ class QuteSchemeHandler(QWebEngineUrlSchemeHandler):
            profile.installUrlSchemeHandler(b'chrome-error', self)
            profile.installUrlSchemeHandler(b'chrome-extension', self)
    def _check_initiator(self, job):
        """Check whether the initiator of the job should be allowed.
        Only the browser itself or qute:// pages should access any of those
        URLs. The request interceptor further locks down qute://settings/set.
        Args:
            job: QWebEngineUrlRequestJob
        Return:
            True if the initiator is allowed, False if it was blocked.
        """
        try:
            initiator = job.initiator()
        except AttributeError:
            # Added in Qt 5.11
            return True
        if initiator.isValid() and initiator.scheme() != 'qute':
            log.misc.warning("Blocking malicious request from {} to {}"
                                .format(initiator.toDisplayString(),
                                        url.toDisplayString()))
            job.fail(QWebEngineUrlRequestJob.RequestDenied)
            return False
        return True
    def requestStarted(self, job):
        """Handle a request for a qute: scheme.
@ -55,21 +82,8 @@ class QuteSchemeHandler(QWebEngineUrlSchemeHandler):
            job.fail(QWebEngineUrlRequestJob.UrlInvalid)
            return
-        # Only the browser itself or qute:// pages should access any of those
+        if not self._check_initiator(job):
-        # URLs.
+            return
        # The request interceptor further locks down qute://settings/set.
        try:
            initiator = job.initiator()
        except AttributeError:
            # Added in Qt 5.11
            pass
        else:
            if initiator.isValid() and initiator.scheme() != 'qute':
                log.misc.warning("Blocking malicious request from {} to {}"
                                 .format(initiator.toDisplayString(),
                                         url.toDisplayString()))
                job.fail(QWebEngineUrlRequestJob.RequestDenied)
                return
        if job.requestMethod() != b'GET':
            job.fail(QWebEngineUrlRequestJob.RequestDenied)