Release v0.9.1

CHANGELOG.asciidoc

@@ -14,6 +14,15 @@ This project adheres to http://semver.org/[Semantic Versioning].
 // `Fixed` for any bug fixes.
 // `Security` to invite users to upgrade in case of vulnerabilities.
 
+v0.9.1
+------
+
+Fixed
+~~~~~
+
+- Prevent websites from downloading files to a location outside of the download
+  folder with QtWebEngine.
+
 v0.9.0
 ------
 

qutebrowser/__init__.py

@@ -28,7 +28,7 @@ __copyright__ = "Copyright 2014-2016 Florian Bruhin (The Compiler)"
 __license__ = "GPL"
 __maintainer__ = __author__
 __email__ = "mail@qutebrowser.org"
-__version_info__ = (0, 9, 0)
+__version_info__ = (0, 9, 1)
 __version__ = '.'.join(str(e) for e in __version_info__)
 __description__ = "A keyboard-driven, vim-like browser based on PyQt5 and QtWebKit."
 

qutebrowser/browser/webengine/webenginedownloads.py

@@ -137,7 +137,10 @@ def _get_suggested_filename(path):
     """
     filename = os.path.basename(path)
     filename = re.sub(r'\([0-9]+\)$', '', filename)
+    # https://bugreports.qt.io/browse/QTBUG-58155
     filename = urllib.parse.unquote(filename)
+    # Doing basename a *second* time because there could be a %2F in there...
+    filename = os.path.basename(filename)
     return filename
 
 

tests/end2end/features/downloads.feature

@@ -118,6 +118,14 @@ Feature: Downloading things from a website.
         And I wait until the download is finished
         Then the downloaded file download with spaces.bin should exist
 
+    @qtwebkit_skip
+    Scenario: Downloading a file with evil content-disposition header
+        # Content-Disposition: download; filename=..%2Ffoo
+        When I open response-headers?Content-Disposition=download;%20filename%3D..%252Ffoo without waiting
+        And I wait until the download is finished
+        Then the downloaded file ../foo should not exist
+        And the downloaded file foo should exist
+
     ## :download-retry
 
     Scenario: Retrying a failed download
@@ -184,7 +192,7 @@ Feature: Downloading things from a website.
         Then the error "Can only download the current page as mhtml." should be shown
 
     Scenario: :download with a directory which doesn't exist
-        When I run :download --dest (tmpdir)/somedir/filename http://localhost:(port)/
+        When I run :download --dest (tmpdir)/downloads/somedir/filename http://localhost:(port)/
         Then the error "Download error: No such file or directory" should be shown
 
     ## mhtml downloads
@@ -402,7 +410,7 @@ Feature: Downloading things from a website.
         When I set storage -> prompt-download-directory to true
         And I set completion -> download-path-suggestion to path
         And I open data/downloads/download.bin without waiting
-        Then the download prompt should be shown with "(tmpdir)/"
+        Then the download prompt should be shown with "(tmpdir)/downloads/"
 
     Scenario: completion -> download-path-suggestion = filename
         When I set storage -> prompt-download-directory to true
@@ -414,7 +422,7 @@ Feature: Downloading things from a website.
         When I set storage -> prompt-download-directory to true
         And I set completion -> download-path-suggestion to both
         And I open data/downloads/download.bin without waiting
-        Then the download prompt should be shown with "(tmpdir)/download.bin"
+        Then the download prompt should be shown with "(tmpdir)/downloads/download.bin"
 
     ## storage -> remember-download-directory
 
@@ -424,19 +432,19 @@ Feature: Downloading things from a website.
         And I set storage -> remember-download-directory to true
         And I open data/downloads/download.bin without waiting
         And I wait for the download prompt for "*/download.bin"
-        And I run :prompt-accept (tmpdir)(dirsep)subdir
+        And I run :prompt-accept (tmpdir)(dirsep)downloads(dirsep)subdir
         And I open data/downloads/download2.bin without waiting
-        Then the download prompt should be shown with "(tmpdir)/subdir/download2.bin"
+        Then the download prompt should be shown with "(tmpdir)/downloads/subdir/download2.bin"
 
     Scenario: Not remembering the last download directory
         When I set storage -> prompt-download-directory to true
         And I set completion -> download-path-suggestion to both
         And I set storage -> remember-download-directory to false
         And I open data/downloads/download.bin without waiting
-        And I wait for the download prompt for "(tmpdir)/download.bin"
-        And I run :prompt-accept (tmpdir)(dirsep)subdir
+        And I wait for the download prompt for "(tmpdir)/downloads/download.bin"
+        And I run :prompt-accept (tmpdir)(dirsep)downloads(dirsep)subdir
         And I open data/downloads/download2.bin without waiting
-        Then the download prompt should be shown with "(tmpdir)/download2.bin"
+        Then the download prompt should be shown with "(tmpdir)/downloads/download2.bin"
 
     # https://github.com/The-Compiler/qutebrowser/issues/2173
 
@@ -446,12 +454,12 @@ Feature: Downloading things from a website.
         And I set storage -> remember-download-directory to true
         And I open data/downloads/download.bin without waiting
         And I wait for the download prompt for "*"
-        And I run :prompt-accept (tmpdir)
+        And I run :prompt-accept (tmpdir)/downloads
         And I open data/downloads/download.bin without waiting
         And I wait for the download prompt for "*"
         And I directly open the download
         And I open data/downloads/download.bin without waiting
-        Then the download prompt should be shown with "(tmpdir)/download.bin"
+        Then the download prompt should be shown with "(tmpdir)/downloads/download.bin"
 
     # Overwriting files
 
@@ -520,7 +528,7 @@ Feature: Downloading things from a website.
     @posix
     Scenario: Downloading to unwritable destination
         When I set storage -> prompt-download-directory to false
-        And I run :download http://localhost:(port)/data/downloads/download.bin --dest (tmpdir)/unwritable
+        And I run :download http://localhost:(port)/data/downloads/download.bin --dest (tmpdir)/downloads/unwritable
         Then the error "Download error: Permission denied" should be shown
 
     Scenario: Downloading 20MB file

tests/end2end/features/test_downloads_bdd.py

@@ -32,15 +32,17 @@ PROMPT_MSG = ("Asking question <qutebrowser.utils.usertypes.Question "
 
 @bdd.given("I set up a temporary download dir")
 def temporary_download_dir(quteproc, tmpdir):
+    download_dir = tmpdir / 'downloads'
+    download_dir.ensure(dir=True)
     quteproc.set_setting('storage', 'prompt-download-directory', 'false')
     quteproc.set_setting('storage', 'remember-download-directory', 'false')
-    quteproc.set_setting('storage', 'download-directory', str(tmpdir))
-    (tmpdir / 'subdir').ensure(dir=True)
+    quteproc.set_setting('storage', 'download-directory', str(download_dir))
+    (download_dir / 'subdir').ensure(dir=True)
     try:
-        os.mkfifo(str(tmpdir / 'fifo'))
+        os.mkfifo(str(download_dir / 'fifo'))
     except AttributeError:
         pass
-    unwritable = tmpdir / 'unwritable'
+    unwritable = download_dir / 'unwritable'
     unwritable.ensure(dir=True)
     unwritable.chmod(0)
 
@@ -76,20 +78,20 @@ def download_ssl_page(quteproc, ssl_server):
 
 @bdd.then(bdd.parsers.parse("The downloaded file {filename} should not exist"))
 def download_should_not_exist(filename, tmpdir):
-    path = tmpdir / filename
+    path = tmpdir / 'downloads' / filename
     assert not path.check()
 
 
 @bdd.then(bdd.parsers.parse("The downloaded file {filename} should exist"))
 def download_should_exist(filename, tmpdir):
-    path = tmpdir / filename
+    path = tmpdir / 'downloads' / filename
     assert path.check()
 
 
 @bdd.then(bdd.parsers.parse("The downloaded file {filename} should contain "
                             "{size} bytes"))
 def download_size(filename, size, tmpdir):
-    path = tmpdir / filename
+    path = tmpdir / 'downloads' / filename
     assert path.size() == int(size)
 
 
@@ -130,9 +132,11 @@ def download_open_with_prompt(quteproc):
 
 @bdd.when(bdd.parsers.parse("I delete the downloaded file {filename}"))
 def delete_file(tmpdir, filename):
-    (tmpdir / filename).remove()
+    (tmpdir / 'downloads' / filename).remove()
 
 
 @bdd.then("the FIFO should still be a FIFO")
 def fifo_should_be_fifo(tmpdir):
-    assert tmpdir.exists() and not os.path.isfile(str(tmpdir / 'fifo'))
+    download_dir = tmpdir / 'downloads'
+    assert download_dir.exists()
+    assert not os.path.isfile(str(download_dir / 'fifo'))

tests/unit/browser/webengine/test_webenginedownloads.py

@@ -32,6 +32,7 @@ from qutebrowser.browser.webengine import webenginedownloads
     ('foo(a)', 'foo(a)'),
     ('foo1', 'foo1'),
     ('foo%20bar', 'foo bar'),
+    ('foo%2Fbar', 'bar'),
 ])
 def test_get_suggested_filename(path, expected):
     assert webenginedownloads._get_suggested_filename(path) == expected

tests/unit/config/test_config.py

@@ -403,7 +403,7 @@ class TestDefaultConfig:
         If it did change, place a new qutebrowser-vx.y.z.conf in old_configs
         and then increment the version.
         """
-        assert qutebrowser.__version__ == '0.9.0'
+        assert qutebrowser.__version__ == '0.9.1'
 
     @pytest.mark.parametrize('filename',
         os.listdir(os.path.join(os.path.dirname(__file__), 'old_configs')),