rnhmjoj/qutebrowser
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
16,376 Commits 1 Branch 0 Tags 112 MiB
71781b3f43
Commit Graph

8 Commits

Author SHA1 Message Date
Florian Bruhin
43e58ac865 CVE-2018-10895: Fix CSRF issues with qute://settings/set URL 
In ffc29ee043 (part of v1.0.0), a
qute://settings/set URL was added to change settings.

Contrary to what I apparently believed at the time, it *is* possible for
websites to access `qute://*` URLs (i.e., neither QtWebKit nor QtWebEngine
prohibit such requests, other than the usual cross-origin rules).

In other words, this means a website can e.g. have an `<img>` tag which loads a
`qute://settings/set` URL, which then sets `editor.command` to a bash script.
The result of that is arbitrary code execution.

Fixes #4060
See #2332
 2018-07-11 17:05:23 +02:00
Florian Bruhin
6f028e9ad0 Update copyright years 2018-02-05 12:19:50 +01:00
Florian Bruhin
8555b86e3b Add copyright notice for pyeval_file.py 2017-11-19 21:09:48 +01:00
Akhil kp
21e731ebeb fixed build errors(typing errors) 2017-11-19 23:49:11 +05:30
Akhil kp
c5eab53a87 Added --file for :debug-pyeval 2017-11-19 18:20:58 +05:30
pkill9
6cb48ba2b6 Adds a --file flag to :jseval 2017-02-25 13:11:53 +00:00
Florian Bruhin
07e67740cc Add missing jseval.html 2016-09-12 20:02:03 +02:00
Florian Bruhin
64d4c9f83e Clean up end2end test file structure 
This renames tests/integration to tests/end2end and moves some files to
tests/end2end/fixtures.
 2016-05-29 18:20:00 +02:00