Don't escape URLs for qute://history

We only use the URL to set a 'href' attribute, which does not need escaping. See #4011 Fixes #4012
2018-06-23 14:27:07 +02:00 · 2018-06-23 14:27:07 +02:00 · a02c25dfb1
commit a02c25dfb1
parent d2254ca48b
6 changed files with 31 additions and 2 deletions
--- a/doc/changelog.asciidoc
+++ b/doc/changelog.asciidoc
@ -97,6 +97,9 @@ Fixed
 ~~~~~

 - Various subtle keyboard focus issues.
+- The security fix in v1.3.3 caused URLs with ampersands
+  (`www.example.com?one=1&two=2`) to send the wrong arguments when clicked on
+  the `qute://history` page.

 Removed
 ~~~~~~~
--- a/qutebrowser/browser/qutescheme.py
+++ b/qutebrowser/browser/qutescheme.py
@ -242,7 +242,7 @@ def history_data(start_time, offset=None):
        end_time = start_time - 24*60*60
        entries = hist.entries_between(end_time, start_time)

-    return [{"url": html.escape(e.url),
+    return [{"url": e.url,
             "title": html.escape(e.title) or html.escape(e.url),
             "time": e.atime} for e in entries]

--- a/qutebrowser/javascript/history.js
+++ b/qutebrowser/javascript/history.js
@ -114,7 +114,7 @@ window.loadHistory = (function() {
        title.className = "title";
        const link = document.createElement("a");
        link.href = itemUrl;
-        link.innerHTML = itemTitle;
+        link.innerHTML = itemTitle;  // Properly escaped in qutescheme.py
        const host = document.createElement("span");
        host.className = "hostname";
        host.innerHTML = link.hostname;
--- a/tests/end2end/features/history.feature
+++ b/tests/end2end/features/history.feature
@ -117,3 +117,10 @@ Feature: Page history
        When I open data/issue4011.html
        And I open qute://history
        Then the javascript message "XSS" should not be logged
+
+    Scenario: Escaping of URLs in :history
+        When I open query?one=1&two=2
+        And I open qute://history
+        And I hint with args "links normal" and follow a
+        And I wait until query?one=1&two=2 is loaded
+        Then the query parameter two should be set to 2
--- a/tests/end2end/features/test_history_bdd.py
+++ b/tests/end2end/features/test_history_bdd.py
@ -17,6 +17,7 @@
 # You should have received a copy of the GNU General Public License
 # along with qutebrowser.  If not, see <http://www.gnu.org/licenses/>.

+import json
 import logging
 import re

@ -34,6 +35,19 @@ def turn_on_sql_history(quteproc):
    quteproc.wait_for_load_finished_url('qute://pyeval')


+@bdd.then(bdd.parsers.parse("the query parameter {name} should be set to "
+                            "{value}"))
+def check_query(quteproc, name, value):
+    """Check if a given query is set correctly.
+
+    This assumes we're on the server query page.
+    """
+    content = quteproc.get_content()
+    data = json.loads(content)
+    print(data)
+    assert data[name] == value
+
+
@bdd.then(bdd.parsers.parse("the history should contain:\n{expected}"))
 def check_history(quteproc, server, tmpdir, expected):
    path = tmpdir / 'history'
--- a/tests/end2end/fixtures/webserver_sub.py
+++ b/tests/end2end/fixtures/webserver_sub.py
@ -261,6 +261,11 @@ def response_headers():
    return response


+@app.route('/query')
+def query():
+    return flask.jsonify(flask.request.args)
+
+
@app.route('/user-agent')
 def view_user_agent():
    """Return User-Agent."""