Florian Bruhin 43e58ac865 CVE-2018-10895: Fix CSRF issues with qute://settings/set URL ... In ffc29ee043 (part of v1.0.0), a qute://settings/set URL was added to change settings. Contrary to what I apparently believed at the time, it *is* possible for websites to access `qute://*` URLs (i.e., neither QtWebKit nor QtWebEngine prohibit such requests, other than the usual cross-origin rules). In other words, this means a website can e.g. have an `<img>` tag which loads a `qute://settings/set` URL, which then sets `editor.command` to a bash script. The result of that is arbitrary code execution. Fixes #4060 See #2332		2018-07-11 17:05:23 +02:00
..
browser	CVE-2018-10895: Fix CSRF issues with qute://settings/set URL	2018-07-11 17:05:23 +02:00
commands	Completion for varargs.	2018-03-25 21:59:30 -04:00
completion	Revert "Add workaround for PyQt 5.11 headerDataChanged bug"	2018-07-02 22:32:59 +02:00
config	Support URL patterns for permissions and ssl_strict	2018-06-24 21:38:37 +02:00
html	CVE-2018-10895: Fix CSRF issues with qute://settings/set URL	2018-07-11 17:05:23 +02:00
img	New qutebrowser logo!	2016-04-14 17:44:38 +02:00
javascript	eslint: Turn off max-lines-per-function	2018-06-25 08:14:02 +02:00
keyinput	Support new dead keys added in Qt 5.11 properly	2018-07-02 22:32:59 +02:00
mainwindow	Add a wrapper around sip	2018-07-02 22:32:59 +02:00
misc	Add a wrapper around sip	2018-07-02 22:32:59 +02:00
utils	Strip trailing newlines from pastebin URL	2018-07-08 22:09:56 +02:00
__init__.py	Release v1.4.0	2018-07-03 15:44:44 +02:00
__main__.py	Update copyright years	2018-02-05 12:19:50 +01:00
app.py	Merge remote-tracking branch 'origin/pr/3613'	2018-03-13 08:39:36 +01:00
qt.py	Add a wrapper around sip	2018-07-02 22:32:59 +02:00
qutebrowser.py	Add a lost-focusproxy debug flag	2018-06-11 21:27:08 +02:00
resources.py	Regenerate resources	2016-04-14 17:59:28 +02:00