History page parses and renders html tags #4011
While visiting this page which has an html input element as it's title (
I then searched a bunch of unclosed html tags in google, a
The text was updated successfully, but these errors were encountered:
Here's a copy of the announcement I sent out:
I've just released qutebrowser v1.3.3, which fixes an XSS vulnerability
The vulnerability allowed websites to inject HTML into the page via a
If you're currently unable to upgrade, avoid using :history.
A CVE request for this issue is pending, I'll send out another mail once
The patch applies cleanly to v1.2.x and v1.1.x (but I do not plan to do
It does not apply to v1.0.x and v0.11.x. If you need a backport,
I plan to release v1.4.0 later this week (once PyQt 5.11 is out), but
Other bugfixes in this release:
Sorry for the trouble!
Unfortunately my fix caused a regression due to escaping URLs as well, causing the wrong URL to be loaded when clicking a link on the history page. I'm tracking this in #4012. I won't release a v1.3.4 because this is rather minor, but I plan to fix it in v1.4.0.
v1.3.3 ------ Security ~~~~~~~~ - An XSS vulnerability on the `qute://history` page allowed websites to inject HTML into the page via a crafted title tag. This could allow them to steal your browsing history. If you're currently unable to upgrade, avoid using `:history`. A CVE request for this issue is pending, see qutebrowser/qutebrowser#4011 for updates. Fixed ~~~~~ - Crash in a workaround for a Qt 5.11 bug in rare circumstances. - Workaround for a Qt bug which preserves searches between page loads. - In v1.3.2 a dependency on the `PyQt5.QtQuickWidgets` module was accidentally introduced. Since that module isn't packaged everywhere, it's been removed again. v1.3.2 ------ Fixed ~~~~~ - QtWebEngine: Improved workaround for a bug in Qt 5.11 where only the top/bottom half of the window is used. - QtWebEngine: Work around a bug in Qt 5.11 where an endless loading-loop is triggered when clicking a link with an unknown scheme. - QtWebEngine: When switching between pages with changed settings, less unnecessary reloads are done now. - QtWebEngine: It's now possible to open external links such as `magnet://` or `mailto:` via hints.
This issue has been assigned CVE-2018-1000559.
@BenjaminBrandtner Thanks again, especially for the screenshots and all which makes things easier! I'm not sure if you were aware of the security implications of this bug (and it's okay if you weren't!) - but if you were, note that there's usually a way to report security related issues to projects privately (email@example.com for qutebrowser). That way, there's less pressure on maintainers to fix things immediately, as things are less likely to be exploited (and it's possible to only announce the details when distributions updated their packages).