Hello community, here is the log from the commit of package qutebrowser for openSUSE:Factory checked in at 2018-07-13 10:21:10 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/qutebrowser (Old) and /work/SRC/openSUSE:Factory/.qutebrowser.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "qutebrowser" Fri Jul 13 10:21:10 2018 rev:23 rq:622158 version:1.4.1 Changes: -------- --- /work/SRC/openSUSE:Factory/qutebrowser/qutebrowser.changes 2018-07-04 23:55:56.891838034 +0200 +++ /work/SRC/openSUSE:Factory/.qutebrowser.new/qutebrowser.changes 2018-07-13 10:21:12.118444730 +0200 @@ -1,0 +2,16 @@ +Wed Jul 11 17:46:59 UTC 2018 - 9+suse@cirno.systems + +- Update to version 1.4.1: + Security: + * CVE-2018-10895: Fix CSRF issue on the qute://settings page, + leading to possible arbitrary code execution. + See the related GitHub issue for details: + https://github.com/qutebrowser/qutebrowser/issues/4060 + Fixed: + * Rare crash when an error occurs in downloads. + * Newlines are now stripped from the :version pastebin URL. + * Worked around a Qt issue which redirects to a + chrome-error:// page when trying to use U2F. + * The link_pyqt.py script now works correctly with PyQt 5.11. + +------------------------------------------------------------------- Old: ---- qutebrowser-1.4.0.tar.gz qutebrowser-1.4.0.tar.gz.asc New: ---- qutebrowser-1.4.1.tar.gz qutebrowser-1.4.1.tar.gz.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ qutebrowser.spec ++++++ --- /var/tmp/diff_new_pack.dOuR1B/_old 2018-07-13 10:21:12.574445276 +0200 +++ /var/tmp/diff_new_pack.dOuR1B/_new 2018-07-13 10:21:12.578445281 +0200 @@ -17,7 +17,7 @@ Name: qutebrowser -Version: 1.4.0 +Version: 1.4.1 Release: 0 Summary: Keyboard-driven vim-like browser based on Qt5 License: GPL-3.0-or-later ++++++ qutebrowser-1.4.0.tar.gz -> qutebrowser-1.4.1.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/qutebrowser-1.4.0/PKG-INFO new/qutebrowser-1.4.1/PKG-INFO --- old/qutebrowser-1.4.0/PKG-INFO 2018-07-03 15:48:17.000000000 +0200 +++ new/qutebrowser-1.4.1/PKG-INFO 2018-07-11 17:19:43.000000000 +0200 @@ -1,6 +1,6 @@ Metadata-Version: 2.1 Name: qutebrowser -Version: 1.4.0 +Version: 1.4.1 Summary: A keyboard-driven, vim-like browser based on PyQt5. Home-page: https://www.qutebrowser.org/ Author: Florian Bruhin diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/qutebrowser-1.4.0/doc/changelog.asciidoc new/qutebrowser-1.4.1/doc/changelog.asciidoc --- old/qutebrowser-1.4.0/doc/changelog.asciidoc 2018-07-03 15:42:10.000000000 +0200 +++ new/qutebrowser-1.4.1/doc/changelog.asciidoc 2018-07-11 17:18:57.000000000 +0200 @@ -15,6 +15,30 @@ // `Fixed` for any bug fixes. // `Security` to invite users to upgrade in case of vulnerabilities. +v1.4.1 +------ + +Security +~~~~~~~~ + +- CVE-2018-10895: Fix CSRF issue on the qute://settings page, leading to + possible arbitrary code execution. See the related GitHub issue for details: + https://github.com/qutebrowser/qutebrowser/issues/4060 + +Fixed +~~~~~ + +- Rare crash when an error occurs in downloads. +- Newlines are now stripped from the :version pastebin URL. +- There's a new `mkvenv-pypi-old` environment in `tox.ini` which installs an + older Qt, which is needed on Ubuntu 16.04. +- Worked around a Qt issue which redirects to a `chrome-error://` page when + trying to use U2F. +- The `link_pyqt.py` script now works correctly with PyQt 5.11. +- The Windows installer now uninstalls the old version before installing the + new one, fixing issues with qutebrowser not starting after installing v1.4.0 + over v1.3.3. + v1.4.0 ------ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/qutebrowser-1.4.0/doc/qutebrowser.1 new/qutebrowser-1.4.1/doc/qutebrowser.1 --- old/qutebrowser-1.4.0/doc/qutebrowser.1 2018-07-03 15:48:15.000000000 +0200 +++ new/qutebrowser-1.4.1/doc/qutebrowser.1 2018-07-11 17:19:41.000000000 +0200 @@ -2,12 +2,12 @@ .\" Title: qutebrowser .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets vsnapshot <http://docbook.sf.net/> -.\" Date: 07/03/2018 +.\" Date: 07/11/2018 .\" Manual: qutebrowser manpage .\" Source: qutebrowser .\" Language: English .\" -.TH "QUTEBROWSER" "1" "07/03/2018" "qutebrowser" "qutebrowser manpage" +.TH "QUTEBROWSER" "1" "07/11/2018" "qutebrowser" "qutebrowser manpage" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/qutebrowser-1.4.0/qutebrowser/__init__.py new/qutebrowser-1.4.1/qutebrowser/__init__.py --- old/qutebrowser-1.4.0/qutebrowser/__init__.py 2018-07-03 15:44:42.000000000 +0200 +++ new/qutebrowser-1.4.1/qutebrowser/__init__.py 2018-07-11 17:17:51.000000000 +0200 @@ -26,7 +26,7 @@ __license__ = "GPL" __maintainer__ = __author__ __email__ = "m...@qutebrowser.org" -__version_info__ = (1, 4, 0) +__version_info__ = (1, 4, 1) __version__ = '.'.join(str(e) for e in __version_info__) __description__ = "A keyboard-driven, vim-like browser based on PyQt5." diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/qutebrowser-1.4.0/qutebrowser/browser/qtnetworkdownloads.py new/qutebrowser-1.4.1/qutebrowser/browser/qtnetworkdownloads.py --- old/qutebrowser-1.4.0/qutebrowser/browser/qtnetworkdownloads.py 2018-06-22 00:23:33.000000000 +0200 +++ new/qutebrowser-1.4.1/qutebrowser/browser/qtnetworkdownloads.py 2018-07-11 17:08:42.000000000 +0200 @@ -29,7 +29,7 @@ from PyQt5.QtNetwork import QNetworkRequest, QNetworkReply from qutebrowser.config import config -from qutebrowser.utils import message, usertypes, log, urlutils, utils +from qutebrowser.utils import message, usertypes, log, urlutils, utils, debug from qutebrowser.browser import downloads from qutebrowser.browser.webkit import http from qutebrowser.browser.webkit.network import networkmanager @@ -307,7 +307,14 @@ """Handle QNetworkReply errors.""" if code == QNetworkReply.OperationCanceledError: return - self._die(self._reply.errorString()) + + if self._reply is None: + error = "Unknown error: {}".format( + debug.qenum_key(QNetworkReply, code)) + else: + error = self._reply.errorString() + + self._die(error) @pyqtSlot() def _on_read_timer_timeout(self): diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/qutebrowser-1.4.0/qutebrowser/browser/qutescheme.py new/qutebrowser-1.4.1/qutebrowser/browser/qutescheme.py --- old/qutebrowser-1.4.0/qutebrowser/browser/qutescheme.py 2018-07-02 23:20:34.000000000 +0200 +++ new/qutebrowser-1.4.1/qutebrowser/browser/qutescheme.py 2018-07-11 17:09:14.000000000 +0200 @@ -32,9 +32,17 @@ import mimetypes import urllib import collections +import base64 + +try: + import secrets +except ImportError: + # New in Python 3.6 + secrets = None import pkg_resources from PyQt5.QtCore import QUrlQuery, QUrl +from PyQt5.QtNetwork import QNetworkReply import qutebrowser from qutebrowser.config import config, configdata, configexc, configdiff @@ -46,6 +54,7 @@ pyeval_output = ":pyeval was never called" spawn_output = ":spawn was never called" +csrf_token = None _HANDLERS = {} @@ -449,12 +458,29 @@ @add_handler('settings') def qute_settings(url): """Handler for qute://settings. View/change qute configuration.""" + global csrf_token + if url.path() == '/set': + if url.password() != csrf_token: + message.error("Invalid CSRF token for qute://settings!") + raise QuteSchemeError("Invalid CSRF token!", + QNetworkReply.ContentAccessDenied) return _qute_settings_set(url) + # Requests to qute://settings/set should only be allowed from + # qute://settings. As an additional security precaution, we generate a CSRF + # token to use here. + if secrets: + csrf_token = secrets.token_urlsafe() + else: + # On Python < 3.6, from secrets.py + token = base64.urlsafe_b64encode(os.urandom(32)) + csrf_token = token.rstrip(b'=').decode('ascii') + src = jinja.render('settings.html', title='settings', configdata=configdata, - confget=config.instance.get_str) + confget=config.instance.get_str, + csrf_token=csrf_token) return 'text/html', src diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/qutebrowser-1.4.0/qutebrowser/browser/webengine/interceptor.py new/qutebrowser-1.4.1/qutebrowser/browser/webengine/interceptor.py --- old/qutebrowser-1.4.0/qutebrowser/browser/webengine/interceptor.py 2018-07-02 22:29:24.000000000 +0200 +++ new/qutebrowser-1.4.1/qutebrowser/browser/webengine/interceptor.py 2018-07-11 17:09:14.000000000 +0200 @@ -19,6 +19,7 @@ """A request interceptor taking care of adblocking and custom headers.""" +from PyQt5.QtCore import QUrl from PyQt5.QtWebEngineCore import (QWebEngineUrlRequestInterceptor, QWebEngineUrlRequestInfo) @@ -69,6 +70,18 @@ resource_type, navigation_type)) url = info.requestUrl() + firstparty = info.firstPartyUrl() + + if ((url.scheme(), url.host(), url.path()) == + ('qute', 'settings', '/set')): + if (firstparty != QUrl('qute://settings/') or + info.resourceType() != + QWebEngineUrlRequestInfo.ResourceTypeXhr): + log.webview.warning("Blocking malicious request from {} to {}" + .format(firstparty.toDisplayString(), + url.toDisplayString())) + info.block(True) + return # FIXME:qtwebengine only block ads for NavigationTypeOther? if self._host_blocker.is_blocked(url): diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/qutebrowser-1.4.0/qutebrowser/browser/webengine/webenginequtescheme.py new/qutebrowser-1.4.1/qutebrowser/browser/webengine/webenginequtescheme.py --- old/qutebrowser-1.4.0/qutebrowser/browser/webengine/webenginequtescheme.py 2018-06-22 00:23:33.000000000 +0200 +++ new/qutebrowser-1.4.1/qutebrowser/browser/webengine/webenginequtescheme.py 2018-07-11 17:09:14.000000000 +0200 @@ -37,6 +37,7 @@ if qtutils.version_check('5.11', compiled=False): # WORKAROUND for https://bugreports.qt.io/browse/QTBUG-63378 profile.installUrlSchemeHandler(b'chrome-error', self) + profile.installUrlSchemeHandler(b'chrome-extension', self) def requestStarted(self, job): """Handle a request for a qute: scheme. @@ -49,13 +50,33 @@ """ url = job.requestUrl() - if url.scheme() == 'chrome-error': + if url.scheme() in ['chrome-error', 'chrome-extension']: # WORKAROUND for https://bugreports.qt.io/browse/QTBUG-63378 job.fail(QWebEngineUrlRequestJob.UrlInvalid) return - assert job.requestMethod() == b'GET' + # Only the browser itself or qute:// pages should access any of those + # URLs. + # The request interceptor further locks down qute://settings/set. + try: + initiator = job.initiator() + except AttributeError: + # Added in Qt 5.11 + pass + else: + if initiator.isValid() and initiator.scheme() != 'qute': + log.misc.warning("Blocking malicious request from {} to {}" + .format(initiator.toDisplayString(), + url.toDisplayString())) + job.fail(QWebEngineUrlRequestJob.RequestDenied) + return + + if job.requestMethod() != b'GET': + job.fail(QWebEngineUrlRequestJob.RequestDenied) + return + assert url.scheme() == 'qute' + log.misc.debug("Got request for {}".format(url.toDisplayString())) try: mimetype, data = qutescheme.data_for_url(url) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/qutebrowser-1.4.0/qutebrowser/browser/webkit/network/filescheme.py new/qutebrowser-1.4.1/qutebrowser/browser/webkit/network/filescheme.py --- old/qutebrowser-1.4.0/qutebrowser/browser/webkit/network/filescheme.py 2018-06-22 00:23:33.000000000 +0200 +++ new/qutebrowser-1.4.1/qutebrowser/browser/webkit/network/filescheme.py 2018-07-11 17:09:14.000000000 +0200 @@ -111,11 +111,13 @@ return html.encode('UTF-8', errors='xmlcharrefreplace') -def handler(request): +def handler(request, _operation, _current_url): """Handler for a file:// URL. Args: request: QNetworkRequest to answer to. + _operation: The HTTP operation being done. + _current_url: The page we're on currently. Return: A QNetworkReply for directories, None for files. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/qutebrowser-1.4.0/qutebrowser/browser/webkit/network/networkmanager.py new/qutebrowser-1.4.1/qutebrowser/browser/webkit/network/networkmanager.py --- old/qutebrowser-1.4.0/qutebrowser/browser/webkit/network/networkmanager.py 2018-07-02 22:29:24.000000000 +0200 +++ new/qutebrowser-1.4.1/qutebrowser/browser/webkit/network/networkmanager.py 2018-07-11 17:09:14.000000000 +0200 @@ -373,13 +373,6 @@ req, proxy_error, QNetworkReply.UnknownProxyError, self) - scheme = req.url().scheme() - if scheme in self._scheme_handlers: - result = self._scheme_handlers[scheme](req) - if result is not None: - result.setParent(self) - return result - for header, value in shared.custom_headers(url=req.url()): req.setRawHeader(header, value) @@ -416,5 +409,12 @@ req.url().toDisplayString(), current_url.toDisplayString())) + scheme = req.url().scheme() + if scheme in self._scheme_handlers: + result = self._scheme_handlers[scheme](req, op, current_url) + if result is not None: + result.setParent(self) + return result + self.set_referer(req, current_url) return super().createRequest(op, req, outgoing_data) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/qutebrowser-1.4.0/qutebrowser/browser/webkit/network/webkitqutescheme.py new/qutebrowser-1.4.1/qutebrowser/browser/webkit/network/webkitqutescheme.py --- old/qutebrowser-1.4.0/qutebrowser/browser/webkit/network/webkitqutescheme.py 2018-06-22 00:23:33.000000000 +0200 +++ new/qutebrowser-1.4.1/qutebrowser/browser/webkit/network/webkitqutescheme.py 2018-07-11 17:09:14.000000000 +0200 @@ -21,27 +21,46 @@ import mimetypes -from PyQt5.QtNetwork import QNetworkReply +from PyQt5.QtCore import QUrl +from PyQt5.QtNetwork import QNetworkReply, QNetworkAccessManager from qutebrowser.browser import pdfjs, qutescheme from qutebrowser.browser.webkit.network import networkreply from qutebrowser.utils import log, usertypes, qtutils -def handler(request): +def handler(request, operation, current_url): """Scheme handler for qute:// URLs. Args: request: QNetworkRequest to answer to. + operation: The HTTP operation being done. + current_url: The page we're on currently. Return: A QNetworkReply. """ + if operation != QNetworkAccessManager.GetOperation: + return networkreply.ErrorNetworkReply( + request, "Unsupported request type", + QNetworkReply.ContentOperationNotPermittedError) + + url = request.url() + + if ((url.scheme(), url.host(), url.path()) == + ('qute', 'settings', '/set')): + if current_url != QUrl('qute://settings/'): + log.webview.warning("Blocking malicious request from {} to {}" + .format(current_url.toDisplayString(), + url.toDisplayString())) + return networkreply.ErrorNetworkReply( + request, "Invalid qute://settings request", + QNetworkReply.ContentAccessDenied) + try: - mimetype, data = qutescheme.data_for_url(request.url()) + mimetype, data = qutescheme.data_for_url(url) except qutescheme.NoHandlerFound: - errorstr = "No handler found for {}!".format( - request.url().toDisplayString()) + errorstr = "No handler found for {}!".format(url.toDisplayString()) return networkreply.ErrorNetworkReply( request, errorstr, QNetworkReply.ContentNotFoundError) except qutescheme.QuteSchemeOSError as e: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/qutebrowser-1.4.0/qutebrowser/git-commit-id new/qutebrowser-1.4.1/qutebrowser/git-commit-id --- old/qutebrowser-1.4.0/qutebrowser/git-commit-id 2018-07-03 15:48:17.000000000 +0200 +++ new/qutebrowser-1.4.1/qutebrowser/git-commit-id 2018-07-11 17:19:43.000000000 +0200 @@ -1 +1 @@ -0f037fb41 (2018-07-03 15:44:44 +0200) \ No newline at end of file +75d153d6d (2018-07-11 17:16:50 +0200) \ No newline at end of file diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/qutebrowser-1.4.0/qutebrowser/html/doc/changelog.html new/qutebrowser-1.4.1/qutebrowser/html/doc/changelog.html --- old/qutebrowser-1.4.0/qutebrowser/html/doc/changelog.html 2018-07-03 15:47:57.000000000 +0200 +++ new/qutebrowser-1.4.1/qutebrowser/html/doc/changelog.html 2018-07-11 17:19:18.000000000 +0200 @@ -807,6 +807,62 @@ </div> </div> <div class="sect1"> +<h2 id="_v1_4_1">v1.4.1</h2> +<div class="sectionbody"> +<div class="sect2"> +<h3 id="_security">Security</h3> +<div class="ulist"><ul> +<li> +<p> +CVE-2018-10895: Fix CSRF issue on the qute://settings page, leading to + possible arbitrary code execution. See the related GitHub issue for details: + <a href="https://github.com/qutebrowser/qutebrowser/issues/4060">https://github.com/qutebrowser/qutebrowser/issues/4060</a> +</p> +</li> +</ul></div> +</div> +<div class="sect2"> +<h3 id="_fixed">Fixed</h3> +<div class="ulist"><ul> +<li> +<p> +Rare crash when an error occurs in downloads. +</p> +</li> +<li> +<p> +Newlines are now stripped from the :version pastebin URL. +</p> +</li> +<li> +<p> +There’s a new <code>mkvenv-pypi-old</code> environment in <code>tox.ini</code> which installs an + older Qt, which is needed on Ubuntu 16.04. +</p> +</li> +<li> +<p> +Worked around a Qt issue which redirects to a <code>chrome-error://</code> page when + trying to use U2F. +</p> +</li> +<li> +<p> +The <code>link_pyqt.py</code> script now works correctly with PyQt 5.11. +</p> +</li> +<li> +<p> +The Windows installer now uninstalls the old version before installing the + new one, fixing issues with qutebrowser not starting after installing v1.4.0 + over v1.3.3. +</p> +</li> +</ul></div> +</div> +</div> +</div> +<div class="sect1"> <h2 id="_v1_4_0">v1.4.0</h2> <div class="sectionbody"> <div class="sect2"> @@ -1099,7 +1155,7 @@ </ul></div> </div> <div class="sect2"> -<h3 id="_fixed">Fixed</h3> +<h3 id="_fixed_2">Fixed</h3> <div class="ulist"><ul> <li> <p> @@ -1156,7 +1212,7 @@ <h2 id="_v1_3_3">v1.3.3</h2> <div class="sectionbody"> <div class="sect2"> -<h3 id="_security">Security</h3> +<h3 id="_security_2">Security</h3> <div class="ulist"><ul> <li> <p> @@ -1170,7 +1226,7 @@ </ul></div> </div> <div class="sect2"> -<h3 id="_fixed_2">Fixed</h3> +<h3 id="_fixed_3">Fixed</h3> <div class="ulist"><ul> <li> <p> @@ -1197,7 +1253,7 @@ <h2 id="_v1_3_2">v1.3.2</h2> <div class="sectionbody"> <div class="sect2"> -<h3 id="_fixed_3">Fixed</h3> +<h3 id="_fixed_4">Fixed</h3> <div class="ulist"><ul> <li> <p> @@ -1231,7 +1287,7 @@ <h2 id="_v1_3_1">v1.3.1</h2> <div class="sectionbody"> <div class="sect2"> -<h3 id="_fixed_4">Fixed</h3> +<h3 id="_fixed_5">Fixed</h3> <div class="ulist"><ul> <li> <p> @@ -1368,7 +1424,7 @@ </ul></div> </div> <div class="sect2"> -<h3 id="_fixed_5">Fixed</h3> +<h3 id="_fixed_6">Fixed</h3> <div class="ulist"><ul> <li> <p> @@ -1523,7 +1579,7 @@ <h2 id="_v1_2_1">v1.2.1</h2> <div class="sectionbody"> <div class="sect2"> -<h3 id="_fixed_6">Fixed</h3> +<h3 id="_fixed_7">Fixed</h3> <div class="ulist"><ul> <li> <p> @@ -1880,7 +1936,7 @@ </ul></div> </div> <div class="sect2"> -<h3 id="_fixed_7">Fixed</h3> +<h3 id="_fixed_8">Fixed</h3> <div class="ulist"><ul> <li> <p> @@ -2064,7 +2120,7 @@ </ul></div> </div> <div class="sect2"> -<h3 id="_fixed_8">Fixed</h3> +<h3 id="_fixed_9">Fixed</h3> <div class="ulist"><ul> <li> <p> @@ -2084,7 +2140,7 @@ <h2 id="_v1_1_1">v1.1.1</h2> <div class="sectionbody"> <div class="sect2"> -<h3 id="_fixed_9">Fixed</h3> +<h3 id="_fixed_10">Fixed</h3> <div class="ulist"><ul> <li> <p> @@ -2441,7 +2497,7 @@ </ul></div> </div> <div class="sect2"> -<h3 id="_fixed_10">Fixed</h3> +<h3 id="_fixed_11">Fixed</h3> <div class="ulist"><ul> <li> <p> @@ -2584,7 +2640,7 @@ <h2 id="_v1_0_4">v1.0.4</h2> <div class="sectionbody"> <div class="sect2"> -<h3 id="_fixed_11">Fixed</h3> +<h3 id="_fixed_12">Fixed</h3> <div class="ulist"><ul> <li> <p> @@ -2647,7 +2703,7 @@ </ul></div> </div> <div class="sect2"> -<h3 id="_fixed_12">Fixed</h3> +<h3 id="_fixed_13">Fixed</h3> <div class="ulist"><ul> <li> <p> @@ -2678,7 +2734,7 @@ <h2 id="_v1_0_2">v1.0.2</h2> <div class="sectionbody"> <div class="sect2"> -<h3 id="_fixed_13">Fixed</h3> +<h3 id="_fixed_14">Fixed</h3> <div class="ulist"><ul> <li> <p> @@ -2728,7 +2784,7 @@ <h2 id="_v1_0_1">v1.0.1</h2> <div class="sectionbody"> <div class="sect2"> -<h3 id="_fixed_14">Fixed</h3> +<h3 id="_fixed_15">Fixed</h3> <div class="ulist"><ul> <li> <p> @@ -3328,7 +3384,7 @@ </ul></div> </div> <div class="sect2"> -<h3 id="_fixed_15">Fixed</h3> +<h3 id="_fixed_16">Fixed</h3> <div class="ulist"><ul> <li> <p> @@ -3499,7 +3555,7 @@ </ul></div> </div> <div class="sect2"> -<h3 id="_fixed_16">Fixed</h3> +<h3 id="_fixed_17">Fixed</h3> <div class="ulist"><ul> <li> <p> @@ -3744,7 +3800,7 @@ </ul></div> </div> <div class="sect2"> -<h3 id="_fixed_17">Fixed</h3> +<h3 id="_fixed_18">Fixed</h3> <div class="ulist"><ul> <li> <p> @@ -3875,7 +3931,7 @@ <h2 id="_v0_9_1">v0.9.1</h2> <div class="sectionbody"> <div class="sect2"> -<h3 id="_fixed_18">Fixed</h3> +<h3 id="_fixed_19">Fixed</h3> <div class="ulist"><ul> <li> <p> @@ -4422,7 +4478,7 @@ </ul></div> </div> <div class="sect2"> -<h3 id="_fixed_19">Fixed</h3> +<h3 id="_fixed_20">Fixed</h3> <div class="ulist"><ul> <li> <p> @@ -4474,7 +4530,7 @@ <h2 id="_v0_8_3">v0.8.3</h2> <div class="sectionbody"> <div class="sect2"> -<h3 id="_fixed_20">Fixed</h3> +<h3 id="_fixed_21">Fixed</h3> <div class="ulist"><ul> <li> <p> @@ -4545,7 +4601,7 @@ <h2 id="_v0_8_2">v0.8.2</h2> <div class="sectionbody"> <div class="sect2"> -<h3 id="_fixed_21">Fixed</h3> +<h3 id="_fixed_22">Fixed</h3> <div class="ulist"><ul> <li> <p> @@ -4619,7 +4675,7 @@ <h2 id="_v0_8_1">v0.8.1</h2> <div class="sectionbody"> <div class="sect2"> -<h3 id="_fixed_22">Fixed</h3> +<h3 id="_fixed_23">Fixed</h3> <div class="ulist"><ul> <li> <p> @@ -4738,7 +4794,7 @@ </div> </div> <div class="sect1"> -<h2 id="_fixed_23">Fixed</h2> +<h2 id="_fixed_24">Fixed</h2> <div class="sectionbody"> <div class="ulist"><ul> <li> @@ -4994,7 +5050,7 @@ </div> </div> <div class="sect1"> -<h2 id="_fixed_24">Fixed</h2> +<h2 id="_fixed_25">Fixed</h2> <div class="sectionbody"> <div class="ulist"><ul> <li> @@ -5102,7 +5158,7 @@ <h2 id="_v0_6_2">v0.6.2</h2> <div class="sectionbody"> <div class="sect2"> -<h3 id="_fixed_25">Fixed</h3> +<h3 id="_fixed_26">Fixed</h3> <div class="ulist"><ul> <li> <p> @@ -5139,7 +5195,7 @@ <h2 id="_v0_6_1">v0.6.1</h2> <div class="sectionbody"> <div class="sect2"> -<h3 id="_fixed_26">Fixed</h3> +<h3 id="_fixed_27">Fixed</h3> <div class="ulist"><ul> <li> <p> @@ -5279,7 +5335,7 @@ </ul></div> </div> <div class="sect2"> -<h3 id="_fixed_27">Fixed</h3> +<h3 id="_fixed_28">Fixed</h3> <div class="ulist"><ul> <li> <p> @@ -5387,7 +5443,7 @@ <h2 id="_v0_5_1">v0.5.1</h2> <div class="sectionbody"> <div class="sect2"> -<h3 id="_fixed_28">Fixed</h3> +<h3 id="_fixed_29">Fixed</h3> <div class="ulist"><ul> <li> <p> @@ -5708,7 +5764,7 @@ </ul></div> </div> <div class="sect2"> -<h3 id="_fixed_29">Fixed</h3> +<h3 id="_fixed_30">Fixed</h3> <div class="ulist"><ul> <li> <p> @@ -5801,7 +5857,7 @@ <h2 id="_v0_4_1">v0.4.1</h2> <div class="sectionbody"> <div class="sect2"> -<h3 id="_fixed_30">Fixed</h3> +<h3 id="_fixed_31">Fixed</h3> <div class="ulist"><ul> <li> <p> @@ -6003,7 +6059,7 @@ </ul></div> </div> <div class="sect2"> -<h3 id="_fixed_31">Fixed</h3> +<h3 id="_fixed_32">Fixed</h3> <div class="ulist"><ul> <li> <p> @@ -6332,7 +6388,7 @@ </ul></div> </div> <div class="sect2"> -<h3 id="_fixed_32">Fixed</h3> +<h3 id="_fixed_33">Fixed</h3> <div class="ulist"><ul> <li> <p> @@ -6426,7 +6482,7 @@ <h2 id="_a_href_https_github_com_qutebrowser_qutebrowser_releases_tag_v0_2_1_v0_2_1_a"><a href="https://github.com/qutebrowser/qutebrowser/releases/tag/v0.2.1">v0.2.1</a></h2> <div class="sectionbody"> <div class="sect2"> -<h3 id="_fixed_33">Fixed</h3> +<h3 id="_fixed_34">Fixed</h3> <div class="ulist"><ul> <li> <p> @@ -7008,7 +7064,7 @@ </ul></div> </div> <div class="sect2"> -<h3 id="_fixed_34">Fixed</h3> +<h3 id="_fixed_35">Fixed</h3> <div class="ulist"><ul> <li> <p> @@ -7168,7 +7224,7 @@ </ul></div> </div> <div class="sect2"> -<h3 id="_fixed_35">Fixed</h3> +<h3 id="_fixed_36">Fixed</h3> <div class="ulist"><ul> <li> <p> @@ -7233,7 +7289,7 @@ </ul></div> </div> <div class="sect2"> -<h3 id="_security_2">Security</h3> +<h3 id="_security_3">Security</h3> <div class="ulist"><ul> <li> <p> @@ -7278,7 +7334,7 @@ </ul></div> </div> <div class="sect2"> -<h3 id="_fixed_36">Fixed</h3> +<h3 id="_fixed_37">Fixed</h3> <div class="ulist"><ul> <li> <p> @@ -7353,7 +7409,7 @@ </ul></div> </div> <div class="sect2"> -<h3 id="_security_3">Security</h3> +<h3 id="_security_4">Security</h3> <div class="ulist"><ul> <li> <p> @@ -7393,7 +7449,7 @@ </ul></div> </div> <div class="sect2"> -<h3 id="_fixed_37">Fixed</h3> +<h3 id="_fixed_38">Fixed</h3> <div class="ulist"><ul> <li> <p> @@ -7573,7 +7629,7 @@ </ul></div> </div> <div class="sect2"> -<h3 id="_fixed_38">Fixed</h3> +<h3 id="_fixed_39">Fixed</h3> <div class="ulist"><ul> <li> <p> @@ -7695,7 +7751,7 @@ <div id="footer"> <div id="footer-text"> Last updated - 2018-07-03 15:47:56 CEST + 2018-07-11 17:19:17 CEST </div> </div> </body> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/qutebrowser-1.4.0/qutebrowser/html/doc/commands.html new/qutebrowser-1.4.1/qutebrowser/html/doc/commands.html --- old/qutebrowser-1.4.0/qutebrowser/html/doc/commands.html 2018-07-03 15:48:04.000000000 +0200 +++ new/qutebrowser-1.4.1/qutebrowser/html/doc/commands.html 2018-07-11 17:19:26.000000000 +0200 @@ -4673,7 +4673,7 @@ <div id="footer"> <div id="footer-text"> Last updated - 2018-07-03 15:48:01 CEST + 2018-07-11 17:19:24 CEST </div> </div> </body> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/qutebrowser-1.4.0/qutebrowser/html/doc/configuring.html new/qutebrowser-1.4.1/qutebrowser/html/doc/configuring.html --- old/qutebrowser-1.4.0/qutebrowser/html/doc/configuring.html 2018-07-03 15:48:09.000000000 +0200 +++ new/qutebrowser-1.4.1/qutebrowser/html/doc/configuring.html 2018-07-11 17:19:35.000000000 +0200 @@ -1260,7 +1260,7 @@ <div id="footer"> <div id="footer-text"> Last updated - 2018-07-03 15:48:04 CEST + 2018-07-11 17:19:26 CEST </div> </div> </body> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/qutebrowser-1.4.0/qutebrowser/html/doc/contributing.html new/qutebrowser-1.4.1/qutebrowser/html/doc/contributing.html --- old/qutebrowser-1.4.0/qutebrowser/html/doc/contributing.html 2018-07-03 15:48:01.000000000 +0200 +++ new/qutebrowser-1.4.1/qutebrowser/html/doc/contributing.html 2018-07-11 17:19:23.000000000 +0200 @@ -2172,7 +2172,7 @@ <div id="footer"> <div id="footer-text"> Last updated - 2018-07-03 15:47:57 CEST + 2018-07-11 17:19:18 CEST </div> </div> </body> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/qutebrowser-1.4.0/qutebrowser/html/doc/faq.html new/qutebrowser-1.4.1/qutebrowser/html/doc/faq.html --- old/qutebrowser-1.4.0/qutebrowser/html/doc/faq.html 2018-07-03 15:47:56.000000000 +0200 +++ new/qutebrowser-1.4.1/qutebrowser/html/doc/faq.html 2018-07-11 17:19:17.000000000 +0200 @@ -1255,7 +1255,7 @@ <div id="footer"> <div id="footer-text"> Last updated - 2018-07-03 15:47:56 CEST + 2018-07-11 17:19:16 CEST </div> </div> </body> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/qutebrowser-1.4.0/qutebrowser/html/doc/index.html new/qutebrowser-1.4.1/qutebrowser/html/doc/index.html --- old/qutebrowser-1.4.0/qutebrowser/html/doc/index.html 2018-07-03 15:48:14.000000000 +0200 +++ new/qutebrowser-1.4.1/qutebrowser/html/doc/index.html 2018-07-11 17:19:40.000000000 +0200 @@ -905,7 +905,7 @@ <div id="footer"> <div id="footer-text"> Last updated - 2018-07-03 15:48:14 CEST + 2018-07-11 17:19:40 CEST </div> </div> </body> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/qutebrowser-1.4.0/qutebrowser/html/doc/quickstart.html new/qutebrowser-1.4.1/qutebrowser/html/doc/quickstart.html --- old/qutebrowser-1.4.0/qutebrowser/html/doc/quickstart.html 2018-07-03 15:48:01.000000000 +0200 +++ new/qutebrowser-1.4.1/qutebrowser/html/doc/quickstart.html 2018-07-11 17:19:23.000000000 +0200 @@ -983,7 +983,7 @@ <div id="footer"> <div id="footer-text"> Last updated - 2018-07-03 15:48:01 CEST + 2018-07-11 17:19:23 CEST </div> </div> </body> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/qutebrowser-1.4.0/qutebrowser/html/doc/settings.html new/qutebrowser-1.4.1/qutebrowser/html/doc/settings.html --- old/qutebrowser-1.4.0/qutebrowser/html/doc/settings.html 2018-07-03 15:48:14.000000000 +0200 +++ new/qutebrowser-1.4.1/qutebrowser/html/doc/settings.html 2018-07-11 17:19:40.000000000 +0200 @@ -6839,7 +6839,7 @@ <div id="footer"> <div id="footer-text"> Last updated - 2018-07-03 15:48:09 CEST + 2018-07-11 17:19:35 CEST </div> </div> </body> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/qutebrowser-1.4.0/qutebrowser/html/doc/userscripts.html new/qutebrowser-1.4.1/qutebrowser/html/doc/userscripts.html --- old/qutebrowser-1.4.0/qutebrowser/html/doc/userscripts.html 2018-07-03 15:48:01.000000000 +0200 +++ new/qutebrowser-1.4.1/qutebrowser/html/doc/userscripts.html 2018-07-11 17:19:24.000000000 +0200 @@ -963,7 +963,7 @@ <div id="footer"> <div id="footer-text"> Last updated - 2018-07-03 15:48:01 CEST + 2018-07-11 17:19:23 CEST </div> </div> </body> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/qutebrowser-1.4.0/qutebrowser/html/settings.html new/qutebrowser-1.4.1/qutebrowser/html/settings.html --- old/qutebrowser-1.4.0/qutebrowser/html/settings.html 2018-06-22 00:23:33.000000000 +0200 +++ new/qutebrowser-1.4.1/qutebrowser/html/settings.html 2018-07-11 17:09:14.000000000 +0200 @@ -3,7 +3,8 @@ {% block script %} var cset = function(option, value) { // FIXME:conf we might want some error handling here? - var url = "qute://settings/set?option=" + encodeURIComponent(option); + var url = "qute://user:{{csrf_token}}@settings/set" + url += "?option=" + encodeURIComponent(option); url += "&value=" + encodeURIComponent(value); var xhr = new XMLHttpRequest(); xhr.open("GET", url); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/qutebrowser-1.4.0/qutebrowser/utils/version.py new/qutebrowser-1.4.1/qutebrowser/utils/version.py --- old/qutebrowser-1.4.0/qutebrowser/utils/version.py 2018-07-02 22:29:24.000000000 +0200 +++ new/qutebrowser-1.4.1/qutebrowser/utils/version.py 2018-07-11 17:08:42.000000000 +0200 @@ -484,6 +484,7 @@ def _on_paste_version_success(url): global pastebin_url + url = url.strip() _yank_url(url) pbclient.deleteLater() pastebin_url = url diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/qutebrowser-1.4.0/qutebrowser.egg-info/PKG-INFO new/qutebrowser-1.4.1/qutebrowser.egg-info/PKG-INFO --- old/qutebrowser-1.4.0/qutebrowser.egg-info/PKG-INFO 2018-07-03 15:48:17.000000000 +0200 +++ new/qutebrowser-1.4.1/qutebrowser.egg-info/PKG-INFO 2018-07-11 17:19:43.000000000 +0200 @@ -1,6 +1,6 @@ Metadata-Version: 2.1 Name: qutebrowser -Version: 1.4.0 +Version: 1.4.1 Summary: A keyboard-driven, vim-like browser based on PyQt5. Home-page: https://www.qutebrowser.org/ Author: Florian Bruhin diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/qutebrowser-1.4.0/scripts/link_pyqt.py new/qutebrowser-1.4.1/scripts/link_pyqt.py --- old/qutebrowser-1.4.0/scripts/link_pyqt.py 2018-06-22 00:23:33.000000000 +0200 +++ new/qutebrowser-1.4.1/scripts/link_pyqt.py 2018-07-11 17:08:42.000000000 +0200 @@ -136,7 +136,15 @@ executable: The python executable where the source files are present. venv_path: The path to the virtualenv site-packages. """ - sip_file = get_lib_path(executable, 'sip') + try: + get_lib_path(executable, 'PyQt5.sip') + except Error: + # There is no PyQt5.sip, so we need to copy the toplevel sip. + sip_file = get_lib_path(executable, 'sip') + else: + # There is a PyQt5.sip, it'll get copied with the PyQt5 dir. + sip_file = None + sipconfig_file = get_lib_path(executable, 'sipconfig', required=False) pyqt_dir = os.path.dirname(get_lib_path(executable, 'PyQt5.QtCore')) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/qutebrowser-1.4.0/tox.ini new/qutebrowser-1.4.1/tox.ini --- old/qutebrowser-1.4.0/tox.ini 2018-07-03 13:31:40.000000000 +0200 +++ new/qutebrowser-1.4.1/tox.ini 2018-07-11 17:08:42.000000000 +0200 @@ -62,6 +62,19 @@ -r{toxinidir}/requirements.txt -r{toxinidir}/misc/requirements/requirements-pyqt.txt +# Older PyQt for Python 3.5 +# 5.11.2: https://www.riverbankcomputing.com/pipermail/pyqt/2018-July/040511.html +# 5.10.1: https://github.com/qutebrowser/qutebrowser/issues/3662 +[testenv:mkvenv-pypi-old] +basepython = {env:PYTHON:python3.5} +envdir = {toxinidir}/.venv +commands = {envpython} -c "" +usedevelop = true +deps = + -r{toxinidir}/requirements.txt + PyQt5==5.10 + sip==4.19.8 + [testenv:misc] ignore_errors = true basepython = {env:PYTHON:python3}