rnhmjoj/qutebrowser
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
16,355 Commits 1 Branch 0 Tags 112 MiB
50ae2bf2f9
Commit Graph

37 Commits

Author SHA1 Message Date
Florian Bruhin
43e58ac865 CVE-2018-10895: Fix CSRF issues with qute://settings/set URL 
In ffc29ee043 (part of v1.0.0), a
qute://settings/set URL was added to change settings.

Contrary to what I apparently believed at the time, it *is* possible for
websites to access `qute://*` URLs (i.e., neither QtWebKit nor QtWebEngine
prohibit such requests, other than the usual cross-origin rules).

In other words, this means a website can e.g. have an `<img>` tag which loads a
`qute://settings/set` URL, which then sets `editor.command` to a bash script.
The result of that is arbitrary code execution.

Fixes #4060
See #2332
 2018-07-11 17:05:23 +02:00
Florian Bruhin
b9fc068af5 Add a log-requests debug-flag 2018-05-07 10:23:56 +02:00
Florian Bruhin
3170e35b31 Simplify QtWebKit scheme handlers 2018-02-11 17:14:41 +01:00
Florian Bruhin
c112290664 Make QtNetwork download manager great^H^H^H^Hlobal again 
We originally made it per-window in b502280c06 for
issue #228, but that was back when we still needed window IDs for stuff like
message.info.

Nowadays, there's no reason for it to be per-window anymore. The rest of the
download code can deal with one global download manager (because QtWebEngine has
one), and apart from QNAM code which wasn't used here anyways (as tab_id=None)
there was nothing using the window ID anymore.

Also see #3456 which was the original motivation for this change.
 2018-02-11 16:15:29 +01:00
Florian Bruhin
6f028e9ad0 Update copyright years 2018-02-05 12:19:50 +01:00
Florian Bruhin
b9aa5df5ed Add unit tests for UnicodeEncodeError handling 2017-11-08 07:47:11 +01:00
Florian Bruhin
ef1c83862b Use utils.is_* for platform checks everywhere 2017-09-20 11:10:24 +02:00
Florian Bruhin
3a5241b642 Start using attrs 
Closes #1073
 2017-09-19 22:21:45 +02:00
Florian Bruhin
852baaa8c3 Drop support for Qt < 5.7.1 
See #2742
 2017-09-18 23:01:17 +02:00
Florian Bruhin
22b0f2fd24 Various simple test updates for new config 
test_cache
test_cookies
test_webkitelem
test_cmdutils
test_runners
test_completionwidget
test_messageview
test_editor
test_miscwidgets
test_sessions
test_urlutils
test_utils
test_prompt
statusbar/test_*
test_cmdhistory
test_tabwidget
test_tab
test_downloads
test_networkmanager
 2017-07-04 15:08:04 +02:00
Florian Bruhin
556f49d367 Add PACFetcher.fetch 
Let's not try to download proxies during tests...
 2017-07-04 15:08:04 +02:00
Florian Bruhin
f66c1a0e44 Merge commit '3d9729839d6d9b5ee5d38afdf6ddf410dfca2027' into abbradar/pac-fix 2017-05-19 08:36:39 +02:00
Nikolay Amiantov
3d9729839d Fix crash on PAC evaluation error 2017-05-18 16:54:49 +03:00
Florian Bruhin
00a7a0cee6 Reorganize pylint config 
This removes various stuff we don't need anymoe, and also re-enables and fixes
the import order check.
 2017-05-17 20:20:12 +02:00
Florian Bruhin
c6e31391de Fix most tests/lint 2017-05-10 09:19:24 +02:00
Florian Bruhin
822623f2ed Finally update copyrights... 2017-05-09 21:37:03 +02:00
Florian Bruhin
db8b6d3e68 Add test for QNetworkReply.abort 2017-04-17 16:02:57 +02:00
Florian Bruhin
4ec5700cbf Redirect qute:foo to qute://foo 
Before, we just returned the same data for both, but then we'll run into
same-origin restrictions as qute:history and qute:history/data are not the same
host.
 2017-04-06 21:18:58 +02:00
Florian Bruhin
deb59fc66e Don't strip info when loading PAC from a file 2017-03-01 14:19:23 +01:00
Florian Bruhin
9bb5c9fdab Remove UserInfo and path/query for PAC URLs 2017-03-01 14:19:13 +01:00
Florian Bruhin
ca4f249c30 Use three-argument form of monkeypatch.*attr 2017-03-01 11:33:41 +01:00
Kirill A. Shutemov
13213724b0 PAC: fix isPlainHostName() 
Fix isPlainHostName() implementation and add test-case for it.

Signed-off-by: Kirill A. Shutemov <kirill@shutemov.name>
 2017-02-21 12:16:46 +03:00
Florian Bruhin
b1a95a3930 Add automatic backend selection in earlyinit 2017-02-05 17:09:04 +01:00
Florian Bruhin
de50f30b9b Replace all GitHub links 2017-02-05 00:13:11 +01:00
Florian Bruhin
b6e31d4172 Fix parametrizing 2017-02-04 19:03:59 +01:00
Florian Bruhin
0cc7f845e6 Simplify test 2017-02-04 18:10:34 +01:00
Nikolay Amiantov
aec002fa29 Add more tests for PAC 2017-01-03 13:47:13 +03:00
Florian Bruhin
6c1b7dcca1 Move proxy/pac out of QtWebKit folder 2016-12-22 13:54:11 +01:00
Florian Bruhin
a3d0ea7e01 Adjust skipped test 2016-12-22 09:04:23 +01:00
Nikolay Amiantov
27d64d3680 Add tests for PAC resolver and fetcher 2016-12-07 02:01:19 +03:00
Florian Bruhin
5bef7dc74c Use file with known mimetype for qutescheme test 2016-09-14 16:48:49 +02:00
Florian Bruhin
3a27c45ac9 More cleanup in test_webkitqutescheme 2016-09-14 12:08:35 +02:00
Florian Bruhin
5b527d0f1e Rename test_qutescheme to test_webkitqutescheme 2016-09-14 12:07:26 +02:00
Florian Bruhin
cc1e134f25 Fix test_qutescheme.py 2016-09-14 12:05:15 +02:00
Florian Bruhin
4bf94f3c24 Use order='strict' with qtbot.waitSignals 
See #1702
 2016-07-29 09:12:06 +02:00
Florian Bruhin
79b3f26de8 Decode HTML in test_filescheme 
Otherwise we get a BytesWarning inside BeautifulSoup
 2016-07-28 07:19:09 +02:00
Florian Bruhin
4fccc89d7d Split browser into browser/browser.webkit 2016-06-13 11:18:21 +02:00