[arch-commits] Commit in qutebrowser/trunk (PKGBUILD initiator.patch)

Sat Sep 29 17:52:13 UTC 2018

Date: Saturday, September 29, 2018 @ 17:52:12
  Author: foxboron
Revision: 387926

upgpkg: qutebrowser 1.4.2-2

Added:
  qutebrowser/trunk/initiator.patch
Modified:
  qutebrowser/trunk/PKGBUILD

-----------------+
 PKGBUILD        |   17 ++++++++----
 initiator.patch |   75 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 87 insertions(+), 5 deletions(-)

Modified: PKGBUILD
===================================================================

--- PKGBUILD	2018-09-29 17:48:51 UTC (rev 387925)
+++ PKGBUILD	2018-09-29 17:52:12 UTC (rev 387926)
@@ -4,7 +4,7 @@
 
 pkgname=qutebrowser
 pkgver=1.4.2
-pkgrel=1
+pkgrel=2
 pkgdesc="A keyboard-driven, vim-like browser based on PyQt5"
 arch=("any")
 url="http://www.qutebrowser.org/"
@@ -21,18 +21,25 @@
 	"qt5-webkit: alternative backend")
 options=(!emptydirs)
 source=("https://github.com/qutebrowser/qutebrowser/releases/download/v$pkgver/qutebrowser-$pkgver.tar.gz"
-	    "https://github.com/qutebrowser/qutebrowser/releases/download/v$pkgver/qutebrowser-$pkgver.tar.gz.asc")
+	    "https://github.com/qutebrowser/qutebrowser/releases/download/v$pkgver/qutebrowser-$pkgver.tar.gz.asc"
+        "initiator.patch")
 validpgpkeys=("E04E560002401B8EF0E76F0A916EB0C8FD55A072")
 sha256sums=('fd5d47b0e45e40b1348caf37e8ac304256d453d147f7a930193d3c4aeb21d2de'
-            'SKIP')
+            'SKIP'
+            '44654dc6515245ae05597ad9b8a3917e9391210dfc4fd61210153502b49fd0a3')
 
+prepare() {
+    cd $pkgname-$pkgver
+    patch -Np1 -i "${srcdir}/initiator.patch"
+}
+
 build() {
-	cd "$srcdir/$pkgname-$pkgver"
+	cd "$pkgname-$pkgver"
 	a2x -f manpage doc/qutebrowser.1.asciidoc
 	python setup.py build
 }
 
 package() {
-	cd "$srcdir/$pkgname-$pkgver"
+	cd "$pkgname-$pkgver"
 	make -f misc/Makefile DESTDIR="$pkgdir" PREFIX=/usr install
 }

Added: initiator.patch
===================================================================
--- initiator.patch	                        (rev 0)
+++ initiator.patch	2018-09-29 17:52:12 UTC (rev 387926)
@@ -0,0 +1,75 @@
+diff --git a/qutebrowser/browser/webengine/webenginequtescheme.py b/qutebrowser/browser/webengine/webenginequtescheme.py
+index 3eb7c7df1..3ddbf48f4 100644
+--- a/qutebrowser/browser/webengine/webenginequtescheme.py
++++ b/qutebrowser/browser/webengine/webenginequtescheme.py
+@@ -19,7 +19,7 @@
+ 
+ """QtWebEngine specific qute://* handlers and glue code."""
+ 
+-from PyQt5.QtCore import QBuffer, QIODevice
++from PyQt5.QtCore import QBuffer, QIODevice, QUrl
+ from PyQt5.QtWebEngineCore import (QWebEngineUrlSchemeHandler,
+                                    QWebEngineUrlRequestJob)
+ 
+@@ -39,6 +39,37 @@ class QuteSchemeHandler(QWebEngineUrlSchemeHandler):
+             profile.installUrlSchemeHandler(b'chrome-error', self)
+             profile.installUrlSchemeHandler(b'chrome-extension', self)
+ 
++    def _check_initiator(self, job):
++        """Check whether the initiator of the job should be allowed.
++
++        Only the browser itself or qute:// pages should access any of those
++        URLs. The request interceptor further locks down qute://settings/set.
++
++        Args:
++            job: QWebEngineUrlRequestJob
++
++        Return:
++            True if the initiator is allowed, False if it was blocked.
++        """
++        try:
++            initiator = job.initiator()
++        except AttributeError:
++            # Added in Qt 5.11
++            return True
++
++        if initiator == QUrl('null') and not qtutils.version_check('5.12'):
++            # WORKAROUND for https://bugreports.qt.io/browse/QTBUG-70421
++            return True
++
++        if initiator.isValid() and initiator.scheme() != 'qute':
++            log.misc.warning("Blocking malicious request from {} to {}".format(
++                initiator.toDisplayString(),
++                job.requestUrl().toDisplayString()))
++            job.fail(QWebEngineUrlRequestJob.RequestDenied)
++            return False
++
++        return True
++
+     def requestStarted(self, job):
+         """Handle a request for a qute: scheme.
+ 
+@@ -55,21 +86,8 @@ class QuteSchemeHandler(QWebEngineUrlSchemeHandler):
+             job.fail(QWebEngineUrlRequestJob.UrlInvalid)
+             return
+ 
+-        # Only the browser itself or qute:// pages should access any of those
+-        # URLs.
+-        # The request interceptor further locks down qute://settings/set.
+-        try:
+-            initiator = job.initiator()
+-        except AttributeError:
+-            # Added in Qt 5.11
+-            pass
+-        else:
+-            if initiator.isValid() and initiator.scheme() != 'qute':
+-                log.misc.warning("Blocking malicious request from {} to {}"
+-                                 .format(initiator.toDisplayString(),
+-                                         url.toDisplayString()))
+-                job.fail(QWebEngineUrlRequestJob.RequestDenied)
+-                return
++        if not self._check_initiator(job):
++            return
+ 
+         if job.requestMethod() != b'GET':
+             job.fail(QWebEngineUrlRequestJob.RequestDenied)

