rnhmjoj/qutebrowser
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

urlmatch: Disallow NUL byte

Browse Source 
See https://bugs.chromium.org/p/chromium/issues/detail?id=390624
With Qt, we might run into the same issue as well at some point, and it sure
can't hurt to disallow it.
This commit is contained in:
Florian Bruhin 2018-02-14 22:20:51 +01:00
parent 76efba296f
commit 1b8dfb6c36
2 changed files with 6 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
qutebrowser/utils/urlmatch.py
View File

@ -53,6 +53,9 @@ class UrlPattern:
self._match_all = True self._match_all = True
return return
if '\0' in pattern:
raise ValueError("May not contain NUL byte")
# > If the scheme is *, then it matches either http or https, and not # > If the scheme is *, then it matches either http or https, and not
# > file, or ftp. # > file, or ftp.
# Note we deviate from that, as per-URL settings aren't security # Note we deviate from that, as per-URL settings aren't security

3
tests/unit/utils/test_urlmatch.py
View File

@ -45,6 +45,9 @@ from qutebrowser.utils import urlmatch
# FIXME: should we allow this or not? # FIXME: should we allow this or not?
# ("http://bar", "URLPattern::"), # ("http://bar", "URLPattern::"),
# Chromium: PARSE_ERROR_INVALID_HOST
("http://\0www/", "May not contain NUL byte"),
# Chromium: PARSE_ERROR_INVALID_HOST_WILDCARD # Chromium: PARSE_ERROR_INVALID_HOST_WILDCARD
("http://*foo/bar", "Invalid host wildcard"), ("http://*foo/bar", "Invalid host wildcard"),
("http://foo.*.bar/baz", "Invalid host wildcard"), ("http://foo.*.bar/baz", "Invalid host wildcard"),