[arch-commits] Commit in qutebrowser/repos/community-any (3 files)
Morten Linderud
foxboron at archlinux.org
Sat Sep 29 17:52:57 UTC 2018
Date: Saturday, September 29, 2018 @ 17:52:56
Author: foxboron
Revision: 387927
archrelease: copy trunk to community-any
Added:
qutebrowser/repos/community-any/PKGBUILD
(from rev 387926, qutebrowser/trunk/PKGBUILD)
qutebrowser/repos/community-any/initiator.patch
(from rev 387926, qutebrowser/trunk/initiator.patch)
Deleted:
qutebrowser/repos/community-any/PKGBUILD
-----------------+
PKGBUILD | 83 +++++++++++++++++++++++++++++-------------------------
initiator.patch | 75 ++++++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 120 insertions(+), 38 deletions(-)
Deleted: PKGBUILD
===================================================================
--- PKGBUILD 2018-09-29 17:52:12 UTC (rev 387926)
+++ PKGBUILD 2018-09-29 17:52:56 UTC (rev 387927)
@@ -1,38 +0,0 @@
-# Maintainer: Morten Linderud <foxboron at archlinux.org>
-# Contributor: Pierre Neidhardt <ambrevar at gmail.com>
-# Contributor: Florian Bruhin (The Compiler) <archlinux.org at the-compiler.org>
-
-pkgname=qutebrowser
-pkgver=1.4.2
-pkgrel=1
-pkgdesc="A keyboard-driven, vim-like browser based on PyQt5"
-arch=("any")
-url="http://www.qutebrowser.org/"
-license=("GPL")
-depends=("python-attrs" "python-jinja" "python-pygments" "python-pypeg2"
- "python-pyqt5>=5.7" "python-yaml" "qt5-base>=5.7.1" "qt5-webengine")
-makedepends=("asciidoc" "python-setuptools")
-optdepends=("gst-libav: media playback"
- "gst-plugins-base: media playback"
- "gst-plugins-good: media playback"
- "gst-plugins-bad: media playback"
- "gst-plugins-ugly: media playback"
- "pdfjs: displaying PDF in-browser"
- "qt5-webkit: alternative backend")
-options=(!emptydirs)
-source=("https://github.com/qutebrowser/qutebrowser/releases/download/v$pkgver/qutebrowser-$pkgver.tar.gz"
- "https://github.com/qutebrowser/qutebrowser/releases/download/v$pkgver/qutebrowser-$pkgver.tar.gz.asc")
-validpgpkeys=("E04E560002401B8EF0E76F0A916EB0C8FD55A072")
-sha256sums=('fd5d47b0e45e40b1348caf37e8ac304256d453d147f7a930193d3c4aeb21d2de'
- 'SKIP')
-
-build() {
- cd "$srcdir/$pkgname-$pkgver"
- a2x -f manpage doc/qutebrowser.1.asciidoc
- python setup.py build
-}
-
-package() {
- cd "$srcdir/$pkgname-$pkgver"
- make -f misc/Makefile DESTDIR="$pkgdir" PREFIX=/usr install
-}
Copied: qutebrowser/repos/community-any/PKGBUILD (from rev 387926, qutebrowser/trunk/PKGBUILD)
===================================================================
--- PKGBUILD (rev 0)
+++ PKGBUILD 2018-09-29 17:52:56 UTC (rev 387927)
@@ -0,0 +1,45 @@
+# Maintainer: Morten Linderud <foxboron at archlinux.org>
+# Contributor: Pierre Neidhardt <ambrevar at gmail.com>
+# Contributor: Florian Bruhin (The Compiler) <archlinux.org at the-compiler.org>
+
+pkgname=qutebrowser
+pkgver=1.4.2
+pkgrel=2
+pkgdesc="A keyboard-driven, vim-like browser based on PyQt5"
+arch=("any")
+url="http://www.qutebrowser.org/"
+license=("GPL")
+depends=("python-attrs" "python-jinja" "python-pygments" "python-pypeg2"
+ "python-pyqt5>=5.7" "python-yaml" "qt5-base>=5.7.1" "qt5-webengine")
+makedepends=("asciidoc" "python-setuptools")
+optdepends=("gst-libav: media playback"
+ "gst-plugins-base: media playback"
+ "gst-plugins-good: media playback"
+ "gst-plugins-bad: media playback"
+ "gst-plugins-ugly: media playback"
+ "pdfjs: displaying PDF in-browser"
+ "qt5-webkit: alternative backend")
+options=(!emptydirs)
+source=("https://github.com/qutebrowser/qutebrowser/releases/download/v$pkgver/qutebrowser-$pkgver.tar.gz"
+ "https://github.com/qutebrowser/qutebrowser/releases/download/v$pkgver/qutebrowser-$pkgver.tar.gz.asc"
+ "initiator.patch")
+validpgpkeys=("E04E560002401B8EF0E76F0A916EB0C8FD55A072")
+sha256sums=('fd5d47b0e45e40b1348caf37e8ac304256d453d147f7a930193d3c4aeb21d2de'
+ 'SKIP'
+ '44654dc6515245ae05597ad9b8a3917e9391210dfc4fd61210153502b49fd0a3')
+
+prepare() {
+ cd $pkgname-$pkgver
+ patch -Np1 -i "${srcdir}/initiator.patch"
+}
+
+build() {
+ cd "$pkgname-$pkgver"
+ a2x -f manpage doc/qutebrowser.1.asciidoc
+ python setup.py build
+}
+
+package() {
+ cd "$pkgname-$pkgver"
+ make -f misc/Makefile DESTDIR="$pkgdir" PREFIX=/usr install
+}
Copied: qutebrowser/repos/community-any/initiator.patch (from rev 387926, qutebrowser/trunk/initiator.patch)
===================================================================
--- initiator.patch (rev 0)
+++ initiator.patch 2018-09-29 17:52:56 UTC (rev 387927)
@@ -0,0 +1,75 @@
+diff --git a/qutebrowser/browser/webengine/webenginequtescheme.py b/qutebrowser/browser/webengine/webenginequtescheme.py
+index 3eb7c7df1..3ddbf48f4 100644
+--- a/qutebrowser/browser/webengine/webenginequtescheme.py
++++ b/qutebrowser/browser/webengine/webenginequtescheme.py
+@@ -19,7 +19,7 @@
+
+ """QtWebEngine specific qute://* handlers and glue code."""
+
+-from PyQt5.QtCore import QBuffer, QIODevice
++from PyQt5.QtCore import QBuffer, QIODevice, QUrl
+ from PyQt5.QtWebEngineCore import (QWebEngineUrlSchemeHandler,
+ QWebEngineUrlRequestJob)
+
+@@ -39,6 +39,37 @@ class QuteSchemeHandler(QWebEngineUrlSchemeHandler):
+ profile.installUrlSchemeHandler(b'chrome-error', self)
+ profile.installUrlSchemeHandler(b'chrome-extension', self)
+
++ def _check_initiator(self, job):
++ """Check whether the initiator of the job should be allowed.
++
++ Only the browser itself or qute:// pages should access any of those
++ URLs. The request interceptor further locks down qute://settings/set.
++
++ Args:
++ job: QWebEngineUrlRequestJob
++
++ Return:
++ True if the initiator is allowed, False if it was blocked.
++ """
++ try:
++ initiator = job.initiator()
++ except AttributeError:
++ # Added in Qt 5.11
++ return True
++
++ if initiator == QUrl('null') and not qtutils.version_check('5.12'):
++ # WORKAROUND for https://bugreports.qt.io/browse/QTBUG-70421
++ return True
++
++ if initiator.isValid() and initiator.scheme() != 'qute':
++ log.misc.warning("Blocking malicious request from {} to {}".format(
++ initiator.toDisplayString(),
++ job.requestUrl().toDisplayString()))
++ job.fail(QWebEngineUrlRequestJob.RequestDenied)
++ return False
++
++ return True
++
+ def requestStarted(self, job):
+ """Handle a request for a qute: scheme.
+
+@@ -55,21 +86,8 @@ class QuteSchemeHandler(QWebEngineUrlSchemeHandler):
+ job.fail(QWebEngineUrlRequestJob.UrlInvalid)
+ return
+
+- # Only the browser itself or qute:// pages should access any of those
+- # URLs.
+- # The request interceptor further locks down qute://settings/set.
+- try:
+- initiator = job.initiator()
+- except AttributeError:
+- # Added in Qt 5.11
+- pass
+- else:
+- if initiator.isValid() and initiator.scheme() != 'qute':
+- log.misc.warning("Blocking malicious request from {} to {}"
+- .format(initiator.toDisplayString(),
+- url.toDisplayString()))
+- job.fail(QWebEngineUrlRequestJob.RequestDenied)
+- return
++ if not self._check_initiator(job):
++ return
+
+ if job.requestMethod() != b'GET':
+ job.fail(QWebEngineUrlRequestJob.RequestDenied)
More information about the arch-commits
mailing list