Hi, I just released qutebrowser v0.9.1, which fixes a security issue with QtWebEngine.
Due to a Qt bug[1], download paths with QtWebEngine are percent-encoded, i.e. a file named "foo bar" got saved as "foo%20bar". Thus, qutebrowser was percent-decoding that path again. However, when the server uses a Content-Disposition header to set a custom filename, percent-escapes therein are decoded as well. This means a server can send such a header with a value like "..%2F.bash_login", and since %2F decodes to a slash, qutebrowser will download the served file to ~/.bash_login (assuming that ~/Downloads is set as download dir). If download prompts are disabled, this could happen silently. If download auto cleanup is enabled, this could potentially go unnoticed in some way. This means I felt obliged to fix this right away even though I'm supposed to learn for upcoming exams ;) Either way - this is fixed in v0.9.1. If you can't update right away for some reason, I recommend setting: storage -> prompt-download-directory = true completion -> download-path-suggestion = both so you'd notice if this happens. This issue was introduced with v0.9.0 and only affects QtWebEngine. Sorry for the trouble! Florian [1] https://bugreports.qt.io/browse/QTBUG-58155 -- http://www.the-compiler.org | [email protected] (Mail/XMPP) GPG: 916E B0C8 FD55 A072 | http://the-compiler.org/pubkey.asc I love long mails! | http://email.is-not-s.ms/
signature.asc
Description: PGP signature
