qutebrowser

Author SHA1 Message Date

Author	SHA1	Message	Date
Florian Bruhin	43e58ac865	CVE-2018-10895: Fix CSRF issues with qute://settings/set URL In `ffc29ee043` (part of v1.0.0), a qute://settings/set URL was added to change settings. Contrary to what I apparently believed at the time, it is possible for websites to access `qute://*` URLs (i.e., neither QtWebKit nor QtWebEngine prohibit such requests, other than the usual cross-origin rules). In other words, this means a website can e.g. have an `<img>` tag which loads a `qute://settings/set` URL, which then sets `editor.command` to a bash script. The result of that is arbitrary code execution. Fixes #4060 See #2332	2018-07-11 17:05:23 +02:00

Florian Bruhin

43e58ac865

CVE-2018-10895: Fix CSRF issues with qute://settings/set URL

In ffc29ee043 (part of v1.0.0), a
qute://settings/set URL was added to change settings.

Contrary to what I apparently believed at the time, it *is* possible for
websites to access `qute://*` URLs (i.e., neither QtWebKit nor QtWebEngine
prohibit such requests, other than the usual cross-origin rules).

In other words, this means a website can e.g. have an `<img>` tag which loads a
`qute://settings/set` URL, which then sets `editor.command` to a bash script.
The result of that is arbitrary code execution.

Fixes #4060
See #2332

2018-07-11 17:05:23 +02:00

1 Commits