qutebrowser v0.1.3 released!

Florian Bruhin me at the-compiler.org
Thu Feb 12 08:28:33 CET 2015 

Hi,

I just released v0.1.3 which fixes a security issue and some other
bugs.

Security issue
--------------

Unfortunately passwords with HTTP authentification (i.e. the blue
input in the status bar) were logged in the debug log. This means it's
retrievable by the user by opening qute:log, and it will be sent in
crash reports if the user leaves the "send a debug log" option
checked.

Let me explain how this happened - I took care to not log passwords if
possible, e.g. keyboard input in insert mode is *not* logged. In this
case however, this happened because the widget which currently has
keyboard focus gets logged, to debug key input issues.

Usernames and passwords were leaked because the repr() (debug
representation) of the prompt widget also logged its text:

    modeman:_eventFilter_keypress:204 handled: False,
    forward-unbound-keys: auto, passthrough: True, is_non_alnum: False
    --> filter: False (focused:
    <qutebrowser.mainwindow.statusbar.prompt.PromptLineEdit
    text='PASSWORD'>)

This issue existed since eb5527f897de74187ef748502b0fadd122f23f42
pushed on 28th October 2014, i.e. all released versions are affected.

It was fixed in c2f9cae770360848ca33083e628de79d8d0a1bc3 (master) and
b44d7c0b846670ea27cb6dab321f50ba48e6eb42 (v0.1.x):

    --- a/qutebrowser/misc/miscwidgets.py
    +++ b/qutebrowser/misc/miscwidgets.py
    @@ -43,7 +43,7 @@ class MinimalLineEditMixin:
             self.setAttribute(Qt.WA_MacShowFocusRect, False)

         def __repr__(self):
    -        return utils.get_repr(self, text=self.text())
    +        return utils.get_repr(self)

There were 4 crash logs with leaked passwords in them, which are now
deleted. Unfortunately they were all without contact information.

I'm really sorry for this, and hope people will update soon.
Unfortunately mistakes happen, and in this case it was a non-obvious
way in which the information was logged.

For any questions you can reach me at me at the-compiler.org, GPG ID
916E B0C8 FD55 A072 (a link to the key is also in the signature).

v0.1.3 and v0.2
---------------

v0.1.3 is a bugfix-only release, with the bugfixes since v0.1.2
cherry-picked so they get out faster to people using non-git packages.

If you want the latest features, stay on git. There are still some
things I want to finish for v0.2:

https://github.com/The-Compiler/qutebrowser/issues?q=is%3Aopen+is%3Aissue+milestone%3Av0.2

But still, I hope to release v0.2 in the next few days to weeks.

Changes since v0.1.2
--------------------

* Don't show line edit text in its repr().
* Handle shutdown of page with prompt correctly.
* Various small logging improvements.
* fuzzy_url: handle invalid URLs with autosearch off
* Handle explicit searches with auto-search=false.
* Abort download override question on error/cancel.
* Set a higher z-index for hint labels.
* Don't open relative files in fuzzy_url with :open
* Various crashdialog improvements.
* Hide adblocked iframes.
* Close contextmenu when closing tab to avoid crash.
* Fix statusbar quickly popping up as window.
* Clean up NetworkManager after downloads finished.
* Fix restoring of cmd widget after an error.
* Fix retrying of downloads after the tab is closed.
* Fix some check_libraries() for arch
* Handle all IPCErrors properly.
* Handle another webelem.IsNullError with hints.
* Handle UnicodeDecodeError when reading configs.

Florian

-- 
http://www.the-compiler.org | me at the-compiler.org (Mail/XMPP)
   GPG: 916E B0C8 FD55 A072 | http://the-compiler.org/pubkey.asc
         I love long mails! | http://email.is-not-s.ms/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <https://listi.jpberlin.de/pipermail/qutebrowser/attachments/20150212/e398702f/attachment.sig>

More information about the qutebrowser mailing list