[arch-commits] Commit in qutebrowser/trunk (PKGBUILD initiator.patch)
Morten Linderud
foxboron at archlinux.org
Sat Sep 29 17:52:13 UTC 2018
Date: Saturday, September 29, 2018 @ 17:52:12
Author: foxboron
Revision: 387926
upgpkg: qutebrowser 1.4.2-2
Added:
qutebrowser/trunk/initiator.patch
Modified:
qutebrowser/trunk/PKGBUILD
-----------------+
PKGBUILD | 17 ++++++++----
initiator.patch | 75 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 87 insertions(+), 5 deletions(-)
Modified: PKGBUILD
===================================================================
--- PKGBUILD 2018-09-29 17:48:51 UTC (rev 387925)
+++ PKGBUILD 2018-09-29 17:52:12 UTC (rev 387926)
@@ -4,7 +4,7 @@
pkgname=qutebrowser
pkgver=1.4.2
-pkgrel=1
+pkgrel=2
pkgdesc="A keyboard-driven, vim-like browser based on PyQt5"
arch=("any")
url="http://www.qutebrowser.org/"
@@ -21,18 +21,25 @@
"qt5-webkit: alternative backend")
options=(!emptydirs)
source=("https://github.com/qutebrowser/qutebrowser/releases/download/v$pkgver/qutebrowser-$pkgver.tar.gz"
- "https://github.com/qutebrowser/qutebrowser/releases/download/v$pkgver/qutebrowser-$pkgver.tar.gz.asc")
+ "https://github.com/qutebrowser/qutebrowser/releases/download/v$pkgver/qutebrowser-$pkgver.tar.gz.asc"
+ "initiator.patch")
validpgpkeys=("E04E560002401B8EF0E76F0A916EB0C8FD55A072")
sha256sums=('fd5d47b0e45e40b1348caf37e8ac304256d453d147f7a930193d3c4aeb21d2de'
- 'SKIP')
+ 'SKIP'
+ '44654dc6515245ae05597ad9b8a3917e9391210dfc4fd61210153502b49fd0a3')
+prepare() {
+ cd $pkgname-$pkgver
+ patch -Np1 -i "${srcdir}/initiator.patch"
+}
+
build() {
- cd "$srcdir/$pkgname-$pkgver"
+ cd "$pkgname-$pkgver"
a2x -f manpage doc/qutebrowser.1.asciidoc
python setup.py build
}
package() {
- cd "$srcdir/$pkgname-$pkgver"
+ cd "$pkgname-$pkgver"
make -f misc/Makefile DESTDIR="$pkgdir" PREFIX=/usr install
}
Added: initiator.patch
===================================================================
--- initiator.patch (rev 0)
+++ initiator.patch 2018-09-29 17:52:12 UTC (rev 387926)
@@ -0,0 +1,75 @@
+diff --git a/qutebrowser/browser/webengine/webenginequtescheme.py b/qutebrowser/browser/webengine/webenginequtescheme.py
+index 3eb7c7df1..3ddbf48f4 100644
+--- a/qutebrowser/browser/webengine/webenginequtescheme.py
++++ b/qutebrowser/browser/webengine/webenginequtescheme.py
+@@ -19,7 +19,7 @@
+
+ """QtWebEngine specific qute://* handlers and glue code."""
+
+-from PyQt5.QtCore import QBuffer, QIODevice
++from PyQt5.QtCore import QBuffer, QIODevice, QUrl
+ from PyQt5.QtWebEngineCore import (QWebEngineUrlSchemeHandler,
+ QWebEngineUrlRequestJob)
+
+@@ -39,6 +39,37 @@ class QuteSchemeHandler(QWebEngineUrlSchemeHandler):
+ profile.installUrlSchemeHandler(b'chrome-error', self)
+ profile.installUrlSchemeHandler(b'chrome-extension', self)
+
++ def _check_initiator(self, job):
++ """Check whether the initiator of the job should be allowed.
++
++ Only the browser itself or qute:// pages should access any of those
++ URLs. The request interceptor further locks down qute://settings/set.
++
++ Args:
++ job: QWebEngineUrlRequestJob
++
++ Return:
++ True if the initiator is allowed, False if it was blocked.
++ """
++ try:
++ initiator = job.initiator()
++ except AttributeError:
++ # Added in Qt 5.11
++ return True
++
++ if initiator == QUrl('null') and not qtutils.version_check('5.12'):
++ # WORKAROUND for https://bugreports.qt.io/browse/QTBUG-70421
++ return True
++
++ if initiator.isValid() and initiator.scheme() != 'qute':
++ log.misc.warning("Blocking malicious request from {} to {}".format(
++ initiator.toDisplayString(),
++ job.requestUrl().toDisplayString()))
++ job.fail(QWebEngineUrlRequestJob.RequestDenied)
++ return False
++
++ return True
++
+ def requestStarted(self, job):
+ """Handle a request for a qute: scheme.
+
+@@ -55,21 +86,8 @@ class QuteSchemeHandler(QWebEngineUrlSchemeHandler):
+ job.fail(QWebEngineUrlRequestJob.UrlInvalid)
+ return
+
+- # Only the browser itself or qute:// pages should access any of those
+- # URLs.
+- # The request interceptor further locks down qute://settings/set.
+- try:
+- initiator = job.initiator()
+- except AttributeError:
+- # Added in Qt 5.11
+- pass
+- else:
+- if initiator.isValid() and initiator.scheme() != 'qute':
+- log.misc.warning("Blocking malicious request from {} to {}"
+- .format(initiator.toDisplayString(),
+- url.toDisplayString()))
+- job.fail(QWebEngineUrlRequestJob.RequestDenied)
+- return
++ if not self._check_initiator(job):
++ return
+
+ if job.requestMethod() != b'GET':
+ job.fail(QWebEngineUrlRequestJob.RequestDenied)
More information about the arch-commits
mailing list