[arch-commits] Commit in qutebrowser/repos/community-any (3 files)

Morten Linderud foxboron at archlinux.org
Sat Sep 29 17:52:57 UTC 2018 

    Date: Saturday, September 29, 2018 @ 17:52:56
  Author: foxboron
Revision: 387927

archrelease: copy trunk to community-any

Added:
  qutebrowser/repos/community-any/PKGBUILD
    (from rev 387926, qutebrowser/trunk/PKGBUILD)
  qutebrowser/repos/community-any/initiator.patch
    (from rev 387926, qutebrowser/trunk/initiator.patch)
Deleted:
  qutebrowser/repos/community-any/PKGBUILD

-----------------+
 PKGBUILD        |   83 +++++++++++++++++++++++++++++-------------------------
 initiator.patch |   75 ++++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 120 insertions(+), 38 deletions(-)

Deleted: PKGBUILD
===================================================================
--- PKGBUILD	2018-09-29 17:52:12 UTC (rev 387926)
+++ PKGBUILD	2018-09-29 17:52:56 UTC (rev 387927)
@@ -1,38 +0,0 @@
-# Maintainer: Morten Linderud <foxboron at archlinux.org>
-# Contributor: Pierre Neidhardt <ambrevar at gmail.com>
-# Contributor: Florian Bruhin (The Compiler) <archlinux.org at the-compiler.org>
-
-pkgname=qutebrowser
-pkgver=1.4.2
-pkgrel=1
-pkgdesc="A keyboard-driven, vim-like browser based on PyQt5"
-arch=("any")
-url="http://www.qutebrowser.org/"
-license=("GPL")
-depends=("python-attrs" "python-jinja" "python-pygments" "python-pypeg2"
-	"python-pyqt5>=5.7" "python-yaml" "qt5-base>=5.7.1" "qt5-webengine")
-makedepends=("asciidoc" "python-setuptools")
-optdepends=("gst-libav: media playback"
-	"gst-plugins-base: media playback"
-	"gst-plugins-good: media playback"
-	"gst-plugins-bad: media playback"
-	"gst-plugins-ugly: media playback"
-	"pdfjs: displaying PDF in-browser"
-	"qt5-webkit: alternative backend")
-options=(!emptydirs)
-source=("https://github.com/qutebrowser/qutebrowser/releases/download/v$pkgver/qutebrowser-$pkgver.tar.gz"
-	    "https://github.com/qutebrowser/qutebrowser/releases/download/v$pkgver/qutebrowser-$pkgver.tar.gz.asc")
-validpgpkeys=("E04E560002401B8EF0E76F0A916EB0C8FD55A072")
-sha256sums=('fd5d47b0e45e40b1348caf37e8ac304256d453d147f7a930193d3c4aeb21d2de'
-            'SKIP')
-
-build() {
-	cd "$srcdir/$pkgname-$pkgver"
-	a2x -f manpage doc/qutebrowser.1.asciidoc
-	python setup.py build
-}
-
-package() {
-	cd "$srcdir/$pkgname-$pkgver"
-	make -f misc/Makefile DESTDIR="$pkgdir" PREFIX=/usr install
-}

Copied: qutebrowser/repos/community-any/PKGBUILD (from rev 387926, qutebrowser/trunk/PKGBUILD)
===================================================================
--- PKGBUILD	                        (rev 0)
+++ PKGBUILD	2018-09-29 17:52:56 UTC (rev 387927)
@@ -0,0 +1,45 @@
+# Maintainer: Morten Linderud <foxboron at archlinux.org>
+# Contributor: Pierre Neidhardt <ambrevar at gmail.com>
+# Contributor: Florian Bruhin (The Compiler) <archlinux.org at the-compiler.org>
+
+pkgname=qutebrowser
+pkgver=1.4.2
+pkgrel=2
+pkgdesc="A keyboard-driven, vim-like browser based on PyQt5"
+arch=("any")
+url="http://www.qutebrowser.org/"
+license=("GPL")
+depends=("python-attrs" "python-jinja" "python-pygments" "python-pypeg2"
+	"python-pyqt5>=5.7" "python-yaml" "qt5-base>=5.7.1" "qt5-webengine")
+makedepends=("asciidoc" "python-setuptools")
+optdepends=("gst-libav: media playback"
+	"gst-plugins-base: media playback"
+	"gst-plugins-good: media playback"
+	"gst-plugins-bad: media playback"
+	"gst-plugins-ugly: media playback"
+	"pdfjs: displaying PDF in-browser"
+	"qt5-webkit: alternative backend")
+options=(!emptydirs)
+source=("https://github.com/qutebrowser/qutebrowser/releases/download/v$pkgver/qutebrowser-$pkgver.tar.gz"
+	    "https://github.com/qutebrowser/qutebrowser/releases/download/v$pkgver/qutebrowser-$pkgver.tar.gz.asc"
+        "initiator.patch")
+validpgpkeys=("E04E560002401B8EF0E76F0A916EB0C8FD55A072")
+sha256sums=('fd5d47b0e45e40b1348caf37e8ac304256d453d147f7a930193d3c4aeb21d2de'
+            'SKIP'
+            '44654dc6515245ae05597ad9b8a3917e9391210dfc4fd61210153502b49fd0a3')
+
+prepare() {
+    cd $pkgname-$pkgver
+    patch -Np1 -i "${srcdir}/initiator.patch"
+}
+
+build() {
+	cd "$pkgname-$pkgver"
+	a2x -f manpage doc/qutebrowser.1.asciidoc
+	python setup.py build
+}
+
+package() {
+	cd "$pkgname-$pkgver"
+	make -f misc/Makefile DESTDIR="$pkgdir" PREFIX=/usr install
+}

Copied: qutebrowser/repos/community-any/initiator.patch (from rev 387926, qutebrowser/trunk/initiator.patch)
===================================================================
--- initiator.patch	                        (rev 0)
+++ initiator.patch	2018-09-29 17:52:56 UTC (rev 387927)
@@ -0,0 +1,75 @@
+diff --git a/qutebrowser/browser/webengine/webenginequtescheme.py b/qutebrowser/browser/webengine/webenginequtescheme.py
+index 3eb7c7df1..3ddbf48f4 100644
+--- a/qutebrowser/browser/webengine/webenginequtescheme.py
++++ b/qutebrowser/browser/webengine/webenginequtescheme.py
+@@ -19,7 +19,7 @@
+ 
+ """QtWebEngine specific qute://* handlers and glue code."""
+ 
+-from PyQt5.QtCore import QBuffer, QIODevice
++from PyQt5.QtCore import QBuffer, QIODevice, QUrl
+ from PyQt5.QtWebEngineCore import (QWebEngineUrlSchemeHandler,
+                                    QWebEngineUrlRequestJob)
+ 
+@@ -39,6 +39,37 @@ class QuteSchemeHandler(QWebEngineUrlSchemeHandler):
+             profile.installUrlSchemeHandler(b'chrome-error', self)
+             profile.installUrlSchemeHandler(b'chrome-extension', self)
+ 
++    def _check_initiator(self, job):
++        """Check whether the initiator of the job should be allowed.
++
++        Only the browser itself or qute:// pages should access any of those
++        URLs. The request interceptor further locks down qute://settings/set.
++
++        Args:
++            job: QWebEngineUrlRequestJob
++
++        Return:
++            True if the initiator is allowed, False if it was blocked.
++        """
++        try:
++            initiator = job.initiator()
++        except AttributeError:
++            # Added in Qt 5.11
++            return True
++
++        if initiator == QUrl('null') and not qtutils.version_check('5.12'):
++            # WORKAROUND for https://bugreports.qt.io/browse/QTBUG-70421
++            return True
++
++        if initiator.isValid() and initiator.scheme() != 'qute':
++            log.misc.warning("Blocking malicious request from {} to {}".format(
++                initiator.toDisplayString(),
++                job.requestUrl().toDisplayString()))
++            job.fail(QWebEngineUrlRequestJob.RequestDenied)
++            return False
++
++        return True
++
+     def requestStarted(self, job):
+         """Handle a request for a qute: scheme.
+ 
+@@ -55,21 +86,8 @@ class QuteSchemeHandler(QWebEngineUrlSchemeHandler):
+             job.fail(QWebEngineUrlRequestJob.UrlInvalid)
+             return
+ 
+-        # Only the browser itself or qute:// pages should access any of those
+-        # URLs.
+-        # The request interceptor further locks down qute://settings/set.
+-        try:
+-            initiator = job.initiator()
+-        except AttributeError:
+-            # Added in Qt 5.11
+-            pass
+-        else:
+-            if initiator.isValid() and initiator.scheme() != 'qute':
+-                log.misc.warning("Blocking malicious request from {} to {}"
+-                                 .format(initiator.toDisplayString(),
+-                                         url.toDisplayString()))
+-                job.fail(QWebEngineUrlRequestJob.RequestDenied)
+-                return
++        if not self._check_initiator(job):
++            return
+ 
+         if job.requestMethod() != b'GET':
+             job.fail(QWebEngineUrlRequestJob.RequestDenied)

More information about the arch-commits mailing list