From anonymous, 2 Months ago, written in Diff-output.
Embed
  1. diff --git a/qutebrowser/browser/webengine/webenginequtescheme.py b/qutebrowser/browser/webengine/webenginequtescheme.py
  2. index 3eb7c7df1..3ddbf48f4 100644
  3. --- a/qutebrowser/browser/webengine/webenginequtescheme.py
  4. +++ b/qutebrowser/browser/webengine/webenginequtescheme.py
  5. @@ -19,7 +19,7 @@
  6.  
  7.  """QtWebEngine specific qute://* handlers and glue code."""
  8.  
  9. -from PyQt5.QtCore import QBuffer, QIODevice
  10. +from PyQt5.QtCore import QBuffer, QIODevice, QUrl
  11.  from PyQt5.QtWebEngineCore import (QWebEngineUrlSchemeHandler,
  12.                                     QWebEngineUrlRequestJob)
  13.  
  14. @@ -39,6 +39,37 @@ class QuteSchemeHandler(QWebEngineUrlSchemeHandler):
  15.              profile.installUrlSchemeHandler(b'chrome-error', self)
  16.              profile.installUrlSchemeHandler(b'chrome-extension', self)
  17.  
  18. +    def _check_initiator(self, job):
  19. +        """Check whether the initiator of the job should be allowed.
  20. +
  21. +        Only the browser itself or qute:// pages should access any of those
  22. +        URLs. The request interceptor further locks down qute://settings/set.
  23. +
  24. +        Args:
  25. +            job: QWebEngineUrlRequestJob
  26. +
  27. +        Return:
  28. +            True if the initiator is allowed, False if it was blocked.
  29. +        """
  30. +        try:
  31. +            initiator = job.initiator()
  32. +        except AttributeError:
  33. +            # Added in Qt 5.11
  34. +            return True
  35. +
  36. +        if initiator == QUrl('null') and not qtutils.version_check('5.12'):
  37. +            # WORKAROUND for https://bugreports.qt.io/browse/QTBUG-70421
  38. +            return True
  39. +
  40. +        if initiator.isValid() and initiator.scheme() != 'qute':
  41. +            log.misc.warning("Blocking malicious request from {} to {}".format(
  42. +                initiator.toDisplayString(),
  43. +                job.requestUrl().toDisplayString()))
  44. +            job.fail(QWebEngineUrlRequestJob.RequestDenied)
  45. +            return False
  46. +
  47. +        return True
  48. +
  49.      def requestStarted(self, job):
  50.          """Handle a request for a qute: scheme.
  51.  
  52. @@ -55,21 +86,8 @@ class QuteSchemeHandler(QWebEngineUrlSchemeHandler):
  53.              job.fail(QWebEngineUrlRequestJob.UrlInvalid)
  54.              return
  55.  
  56. -        # Only the browser itself or qute:// pages should access any of those
  57. -        # URLs.
  58. -        # The request interceptor further locks down qute://settings/set.
  59. -        try:
  60. -            initiator = job.initiator()
  61. -        except AttributeError:
  62. -            # Added in Qt 5.11
  63. -            pass
  64. -        else:
  65. -            if initiator.isValid() and initiator.scheme() != 'qute':
  66. -                log.misc.warning("Blocking malicious request from {} to {}"
  67. -                                 .format(initiator.toDisplayString(),
  68. -                                         url.toDisplayString()))
  69. -                job.fail(QWebEngineUrlRequestJob.RequestDenied)
  70. -                return
  71. +        if not self._check_initiator(job):
  72. +            return
  73.  
  74.          if job.requestMethod() != b'GET':
  75.              job.fail(QWebEngineUrlRequestJob.RequestDenied)
  76.