Commit Graph

21 Commits

Author SHA1 Message Date
Florian Bruhin
43e58ac865 CVE-2018-10895: Fix CSRF issues with qute://settings/set URL
In ffc29ee043 (part of v1.0.0), a
qute://settings/set URL was added to change settings.

Contrary to what I apparently believed at the time, it *is* possible for
websites to access `qute://*` URLs (i.e., neither QtWebKit nor QtWebEngine
prohibit such requests, other than the usual cross-origin rules).

In other words, this means a website can e.g. have an `<img>` tag which loads a
`qute://settings/set` URL, which then sets `editor.command` to a bash script.
The result of that is arbitrary code execution.

Fixes #4060
See #2332
2018-07-11 17:05:23 +02:00
Florian Bruhin
3652553a8f Mark second qute://settings test as flaky 2018-01-23 19:42:22 +01:00
Justin Partain
bcd9d13684 Update tests to use search.ignore_case 2017-12-12 11:31:28 -05:00
Florian Bruhin
eb90f9835f Mark qute://settings test as flaky 2017-12-06 20:54:14 +01:00
Florian Bruhin
e5cabb6d23 Match QtWebKit error message for qute://help/img test 2017-11-22 08:40:20 +01:00
Akhil kp
21e731ebeb fixed build errors(typing errors) 2017-11-19 23:49:11 +05:30
akhilkpdasan
4644642c38
fixed test for pyeval --file 2017-11-19 19:10:36 +05:30
Akhil kp
c5eab53a87 Added --file for :debug-pyeval 2017-11-19 18:20:58 +05:30
dwagle
233cea4b62 discarded unnecessary comment and adjusted some code to make pylint happy, also made adjustments to pytest scenarios 2017-11-15 15:48:21 +05:45
dwagle
b3b768f4a8 normalize url path and strip trailing slashes when doing gu/gU, normalize every qute://* urls and raise OSError when a url redirects to a directory in qute://help/ pages 2017-11-14 21:23:40 +05:45
Florian Bruhin
378b280f9a Fix qute://gpl 2017-11-06 12:13:54 +01:00
dwagle
95539961a4 made some adjustments in tests/end2end/features/qutescheme.feature for the tests to pass. These are to account for changes made in f70740c, 4c9482b and aab7496 2017-10-31 12:08:43 +05:45
dwagle
4c9482be84 added a Scenario: Opening link with qute://help to tests/end2end/features/qutescheme.feature 2017-10-30 17:49:22 +05:45
Florian Bruhin
e9a50f5f9f Another attempt at stabilizing qutescheme.feature 2017-10-11 08:46:53 +02:00
Florian Bruhin
211de6d664 Leave qute://settings after tests are done
Let's see whether this helps with the flakyness where the next test (for pyeval)
tries to set frame_flattening...
2017-10-10 21:45:57 +02:00
Florian Bruhin
feaccb3083 Rename :scroll-perc to :scroll-to-perc
Closes #2819
2017-10-03 22:59:32 +02:00
Florian Bruhin
08b5fc8e3b Stabilize qute://plainlog test
Looks like we actually get a loading event on Qt 5.9 just fine, and there was a
race condition here otherwise.
2017-09-13 21:32:36 +02:00
Florian Bruhin
56b673ca05 tests: Don't use <Ctrl+Backspace> to clear qute://settings fields
This won't work on macOS
2017-09-13 10:29:54 +02:00
Ryan Roden-Corrent
6a292f9d56 Merge quteurls.feature into qutescheme.feature. 2017-08-28 07:18:14 -04:00
Florian Bruhin
acf85eb96b Stabilize qute://settings test 2017-07-04 15:09:23 +02:00
Florian Bruhin
353c10aee7 Add a separate qutescheme BDD file 2017-07-04 15:08:03 +02:00