[qutebrowser] qutebrowser v0.9.1 released (security fix)
Florian Bruhin
me at the-compiler.org
Fri Jan 13 18:43:13 CET 2017
Hi,
I just released qutebrowser v0.9.1, which fixes a security issue with
QtWebEngine.
Due to a Qt bug[1], download paths with QtWebEngine are
percent-encoded, i.e. a file named "foo bar" got saved as "foo%20bar".
Thus, qutebrowser was percent-decoding that path again. However, when
the server uses a Content-Disposition header to set a custom
filename, percent-escapes therein are decoded as well.
This means a server can send such a header with a value like
"..%2F.bash_login", and since %2F decodes to a slash, qutebrowser will
download the served file to ~/.bash_login (assuming that ~/Downloads
is set as download dir).
If download prompts are disabled, this could happen silently. If
download auto cleanup is enabled, this could potentially go unnoticed
in some way. This means I felt obliged to fix this right away even
though I'm supposed to learn for upcoming exams ;)
Either way - this is fixed in v0.9.1. If you can't update right away
for some reason, I recommend setting:
storage -> prompt-download-directory = true
completion -> download-path-suggestion = both
so you'd notice if this happens.
This issue was introduced with v0.9.0 and only affects QtWebEngine.
Sorry for the trouble!
Florian
[1] https://bugreports.qt.io/browse/QTBUG-58155
--
http://www.the-compiler.org | me at the-compiler.org (Mail/XMPP)
GPG: 916E B0C8 FD55 A072 | http://the-compiler.org/pubkey.asc
I love long mails! | http://email.is-not-s.ms/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://listi.jpberlin.de/pipermail/qutebrowser/attachments/20170113/7ac0ff02/attachment.asc>
More information about the qutebrowser
mailing list