From me at the-compiler.org Mon Jan 9 06:24:02 2017 From: me at the-compiler.org (Florian Bruhin) Date: Mon, 9 Jan 2017 06:24:02 +0100 Subject: [qutebrowser-announce] Various qutebrowser annoucements Message-ID: <20170109052402.mmatfwii6qukjkxe@tonks> Hey, various little annoucements I have to make: - The v0.9.0 package for Debian had a packaging bug, it got reuploaded with that fixed. If you're using the old one, any error page will crash - please redownload and reinstall it. - Also, I got a lot of crash reports about that without any information. I really do read those! :P - Python 3.6 got released, and at least Archlinux updated. If you have a virtualenv set up, you'll need to rebuild it. If you use tox, you'll need to use tox -e py36 now. You also should rebuild any Python packages from AUR (pacman -Qm) - Two tests in test_invocations.py are currently failing on Archlinux. If you do a PR and those fail, feel free to ignore them. Haven't had time to investigate yet. - If you get Harfbuzz errors on Archlinux, update to freetype2 2.7.1. If you're using infinality, use upstream's freetype2 instead as infinality is outdated (and Bohoomil's repo seems to be dead for months now) - I'm busy with exams for the next 4 weeks or so, and will probably take some actual holidays without much qutebrowser-work for the two weeks after that - so everything will probably be a bit slower until mid-February ;) - On a related note, still no v0.9.0 .dmg until I have time to go to the hackerspace and find out what's up with my Mac. - Social convention dictates me to wish you a happy new year! ;) Florian -- http://www.the-compiler.org | me at the-compiler.org (Mail/XMPP) GPG: 916E B0C8 FD55 A072 | http://the-compiler.org/pubkey.asc I love long mails! | http://email.is-not-s.ms/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: From me at the-compiler.org Fri Jan 13 18:43:13 2017 From: me at the-compiler.org (Florian Bruhin) Date: Fri, 13 Jan 2017 18:43:13 +0100 Subject: [qutebrowser-announce] qutebrowser v0.9.1 released (security fix) Message-ID: <20170113174312.6icnt3y6z3jpa5o2@tonks> Hi, I just released qutebrowser v0.9.1, which fixes a security issue with QtWebEngine. Due to a Qt bug[1], download paths with QtWebEngine are percent-encoded, i.e. a file named "foo bar" got saved as "foo%20bar". Thus, qutebrowser was percent-decoding that path again. However, when the server uses a Content-Disposition header to set a custom filename, percent-escapes therein are decoded as well. This means a server can send such a header with a value like "..%2F.bash_login", and since %2F decodes to a slash, qutebrowser will download the served file to ~/.bash_login (assuming that ~/Downloads is set as download dir). If download prompts are disabled, this could happen silently. If download auto cleanup is enabled, this could potentially go unnoticed in some way. This means I felt obliged to fix this right away even though I'm supposed to learn for upcoming exams ;) Either way - this is fixed in v0.9.1. If you can't update right away for some reason, I recommend setting: storage -> prompt-download-directory = true completion -> download-path-suggestion = both so you'd notice if this happens. This issue was introduced with v0.9.0 and only affects QtWebEngine. Sorry for the trouble! Florian [1] https://bugreports.qt.io/browse/QTBUG-58155 -- http://www.the-compiler.org | me at the-compiler.org (Mail/XMPP) GPG: 916E B0C8 FD55 A072 | http://the-compiler.org/pubkey.asc I love long mails! | http://email.is-not-s.ms/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: From me at the-compiler.org Mon Jan 30 17:28:26 2017 From: me at the-compiler.org (Florian Bruhin) Date: Mon, 30 Jan 2017 17:28:26 +0100 Subject: [qutebrowser-announce] Qt 5.8 Message-ID: <20170130162826.kv7irispv2qb53wa@tonks> Hi, Qt 5.8 breaks various things, and I probably won't have time this week to fix things and cut a new release. So, don't upgrade to Qt 5.8 for now if you haven't yet - and if you have, at least switch to qutebrowser-git where I try to fix the most annoying issues with some workarounds until I have time to take a proper look ;) Florian -- http://www.the-compiler.org | me at the-compiler.org (Mail/XMPP) GPG: 916E B0C8 FD55 A072 | http://the-compiler.org/pubkey.asc I love long mails! | http://email.is-not-s.ms/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: