Hey, I'm happy to announce that I just released qutebrowser v2.4.0!
This release fixes a high-severity arbitrary command execution on Windows via URL handlers, see the security advisory and commit message for details: https://github.com/qutebrowser/qutebrowser/security/advisories/GHSA-vw27-fwjf-5qxm https://github.com/qutebrowser/qutebrowser/commit/8f46ba3f6dc7b18375f7aa63c48a1fe461190430 Windows users are urged to update as soon as possible. For everyone else, this is a rather quiet release, with the most interesting improvement perhaps being slightly improved Greasemonkey support. Here's the full changelog: Security ~~~~~~~~ - **CVE-2021-41146**: Fix arbitrary command execution on Windows via URL handler argument injection. See the security advisory for details. Added ~~~~~ - New `content.blocking.hosts.block_subdomains` setting which can be used to disable the subdomain blocking for the hosts-based adblocker introduced in v2.3.0. - New `downloads.prevent_mixed_content` setting to prevent insecure mixed-content downloads (true by default). - New `--private` flag for `:tab-clone`, which clones a tab into a new private window, mirroring the same flags for `:open` and `:tab-give`. Fixed ~~~~~ - Switching tabs via mouse wheel scrolling now works properly on macOS. Set `tabs.mousewheel_switching` to false if you prefer the previous behavior. - Speculative fix for a crash when closing qutebrowser while a systray notification is shown. Changed ~~~~~~~ - Typing in the filename prompt now filters matching directories. - When opening a file qutebrowser can't handle from a `file:///` directory listing, qutebrowser now opens it with the default application rather than displaying a download prompt. - In Greasemonkey scripts, using "overrideMimeType" with GM_xmlhttpRequest is now supported. - `:hint --rapid` is now supported for the `tab` hinting target no matter what `tabs.background` is set to, as there are various scenarios where tabs can open in the background. - New flags for the `qute-pass` userscript: * `--unfiltered` to show all secrets, not just the one matching the current URL. * `--always-show-selection` to confirm the password to be entered even if there's only a single match. - In insert mode, `<Shift-Escape>` is now bound to `fake-key <Escape>` by default, i.e., sends an Escape keypress to the website. - Using `GM_setClipboard` in Greasemonkey scripts is now supported. Florian -- m...@the-compiler.org | https://www.qutebrowser.org https://bruhin.software/ | https://github.com/sponsors/The-Compiler/ GPG: 916E B0C8 FD55 A072 | https://the-compiler.org/pubkey.asc I love long mails! | https://email.is-not-s.ms/
signature.asc
Description: PGP signature
