Date: Saturday, September 29, 2018 @ 17:52:12 Author: foxboron Revision: 387926
upgpkg: qutebrowser 1.4.2-2 Added: qutebrowser/trunk/initiator.patch Modified: qutebrowser/trunk/PKGBUILD -----------------+ PKGBUILD | 17 ++++++++---- initiator.patch | 75 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 87 insertions(+), 5 deletions(-) Modified: PKGBUILD =================================================================== --- PKGBUILD 2018-09-29 17:48:51 UTC (rev 387925) +++ PKGBUILD 2018-09-29 17:52:12 UTC (rev 387926) @@ -4,7 +4,7 @@ pkgname=qutebrowser pkgver=1.4.2 -pkgrel=1 +pkgrel=2 pkgdesc="A keyboard-driven, vim-like browser based on PyQt5" arch=("any") url="http://www.qutebrowser.org/" @@ -21,18 +21,25 @@ "qt5-webkit: alternative backend") options=(!emptydirs) source=("https://github.com/qutebrowser/qutebrowser/releases/download/v$pkgver/qutebrowser-$pkgver.tar.gz" - "https://github.com/qutebrowser/qutebrowser/releases/download/v$pkgver/qutebrowser-$pkgver.tar.gz.asc") + "https://github.com/qutebrowser/qutebrowser/releases/download/v$pkgver/qutebrowser-$pkgver.tar.gz.asc" + "initiator.patch") validpgpkeys=("E04E560002401B8EF0E76F0A916EB0C8FD55A072") sha256sums=('fd5d47b0e45e40b1348caf37e8ac304256d453d147f7a930193d3c4aeb21d2de' - 'SKIP') + 'SKIP' + '44654dc6515245ae05597ad9b8a3917e9391210dfc4fd61210153502b49fd0a3') +prepare() { + cd $pkgname-$pkgver + patch -Np1 -i "${srcdir}/initiator.patch" +} + build() { - cd "$srcdir/$pkgname-$pkgver" + cd "$pkgname-$pkgver" a2x -f manpage doc/qutebrowser.1.asciidoc python setup.py build } package() { - cd "$srcdir/$pkgname-$pkgver" + cd "$pkgname-$pkgver" make -f misc/Makefile DESTDIR="$pkgdir" PREFIX=/usr install } Added: initiator.patch =================================================================== --- initiator.patch (rev 0) +++ initiator.patch 2018-09-29 17:52:12 UTC (rev 387926) @@ -0,0 +1,75 @@ +diff --git a/qutebrowser/browser/webengine/webenginequtescheme.py b/qutebrowser/browser/webengine/webenginequtescheme.py +index 3eb7c7df1..3ddbf48f4 100644 +--- a/qutebrowser/browser/webengine/webenginequtescheme.py ++++ b/qutebrowser/browser/webengine/webenginequtescheme.py +@@ -19,7 +19,7 @@ + + """QtWebEngine specific qute://* handlers and glue code.""" + +-from PyQt5.QtCore import QBuffer, QIODevice ++from PyQt5.QtCore import QBuffer, QIODevice, QUrl + from PyQt5.QtWebEngineCore import (QWebEngineUrlSchemeHandler, + QWebEngineUrlRequestJob) + +@@ -39,6 +39,37 @@ class QuteSchemeHandler(QWebEngineUrlSchemeHandler): + profile.installUrlSchemeHandler(b'chrome-error', self) + profile.installUrlSchemeHandler(b'chrome-extension', self) + ++ def _check_initiator(self, job): ++ """Check whether the initiator of the job should be allowed. ++ ++ Only the browser itself or qute:// pages should access any of those ++ URLs. The request interceptor further locks down qute://settings/set. ++ ++ Args: ++ job: QWebEngineUrlRequestJob ++ ++ Return: ++ True if the initiator is allowed, False if it was blocked. ++ """ ++ try: ++ initiator = job.initiator() ++ except AttributeError: ++ # Added in Qt 5.11 ++ return True ++ ++ if initiator == QUrl('null') and not qtutils.version_check('5.12'): ++ # WORKAROUND for https://bugreports.qt.io/browse/QTBUG-70421 ++ return True ++ ++ if initiator.isValid() and initiator.scheme() != 'qute': ++ log.misc.warning("Blocking malicious request from {} to {}".format( ++ initiator.toDisplayString(), ++ job.requestUrl().toDisplayString())) ++ job.fail(QWebEngineUrlRequestJob.RequestDenied) ++ return False ++ ++ return True ++ + def requestStarted(self, job): + """Handle a request for a qute: scheme. + +@@ -55,21 +86,8 @@ class QuteSchemeHandler(QWebEngineUrlSchemeHandler): + job.fail(QWebEngineUrlRequestJob.UrlInvalid) + return + +- # Only the browser itself or qute:// pages should access any of those +- # URLs. +- # The request interceptor further locks down qute://settings/set. +- try: +- initiator = job.initiator() +- except AttributeError: +- # Added in Qt 5.11 +- pass +- else: +- if initiator.isValid() and initiator.scheme() != 'qute': +- log.misc.warning("Blocking malicious request from {} to {}" +- .format(initiator.toDisplayString(), +- url.toDisplayString())) +- job.fail(QWebEngineUrlRequestJob.RequestDenied) +- return ++ if not self._check_initiator(job): ++ return + + if job.requestMethod() != b'GET': + job.fail(QWebEngineUrlRequestJob.RequestDenied)