[qutebrowser] qutebrowser v2.4.0 released: Critical RCE fix on Windows (CVE-2021-41146), plus small features/fixes

Florian Bruhin me at the-compiler.org
Thu Oct 21 19:22:23 CEST 2021


Hey,

I'm happy to announce that I just released qutebrowser v2.4.0!

This release fixes a high-severity arbitrary command execution on
Windows via URL handlers, see the security advisory and commit message
for details:
https://github.com/qutebrowser/qutebrowser/security/advisories/GHSA-vw27-fwjf-5qxm
https://github.com/qutebrowser/qutebrowser/commit/8f46ba3f6dc7b18375f7aa63c48a1fe461190430

Windows users are urged to update as soon as possible. For everyone
else, this is a rather quiet release, with the most interesting
improvement perhaps being slightly improved Greasemonkey support.

Here's the full changelog:

Security
~~~~~~~~

- **CVE-2021-41146**: Fix arbitrary command execution on Windows via URL handler
  argument injection. See the security advisory for details.

Added
~~~~~

- New `content.blocking.hosts.block_subdomains` setting which can be used to
  disable the subdomain blocking for the hosts-based adblocker introduced in
  v2.3.0.
- New `downloads.prevent_mixed_content` setting to prevent insecure
  mixed-content downloads (true by default).
- New `--private` flag for `:tab-clone`, which clones a tab into a new private
  window, mirroring the same flags for `:open` and `:tab-give`.

Fixed
~~~~~

- Switching tabs via mouse wheel scrolling now works properly on macOS. Set
  `tabs.mousewheel_switching` to false if you prefer the previous behavior.
- Speculative fix for a crash when closing qutebrowser while a systray
  notification is shown.

Changed
~~~~~~~

- Typing in the filename prompt now filters matching directories.
- When opening a file qutebrowser can't handle from a `file:///` directory
  listing, qutebrowser now opens it with the default application rather than
  displaying a download prompt.
- In Greasemonkey scripts, using "overrideMimeType" with GM_xmlhttpRequest is
  now supported.
- `:hint --rapid` is now supported for the `tab` hinting target no matter what
  `tabs.background` is set to, as there are various scenarios where tabs can
  open in the background.
- New flags for the `qute-pass` userscript:
  * `--unfiltered` to show all secrets, not just the one matching the current
    URL.
  * `--always-show-selection` to confirm the password to be entered even if
    there's only a single match.
- In insert mode, `<Shift-Escape>` is now bound to `fake-key <Escape>` by
  default, i.e., sends an Escape keypress to the website.
- Using `GM_setClipboard` in Greasemonkey scripts is now supported.

Florian

-- 
            me at the-compiler.org | https://www.qutebrowser.org 
       https://bruhin.software/ | https://github.com/sponsors/The-Compiler/
       GPG: 916E B0C8 FD55 A072 | https://the-compiler.org/pubkey.asc
             I love long mails! | https://email.is-not-s.ms/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://listi.jpberlin.de/pipermail/qutebrowser/attachments/20211021/82f57926/attachment.asc>


More information about the qutebrowser mailing list