Safety vulnerability ID: 49012
The information on this page was manually curated by our Cybersecurity Intelligence Team.
Qutebrowser 2.5.0 adds a workaround to a Qt issue causing ':spawn' to run executables from the current directory if no system-wide executable was found. The main security impact of this bug is in tools like text editors, which are often executed in untrusted directories and might attempt to run auxiliary tools automatically.
Latest version: 3.1.0
A keyboard-driven, vim-like browser based on Python and Qt.
Deprecated
- v2.5.x will be the last release of qutebrowser 2.
**For the upcoming 3.0.0 release**, it's planned to drop support for various
legacy platforms and libraries which are unsupported upstream, such as:
* Qt before 5.15 LTS (plus adding support for Qt 6.2+)
* Python 3.6
* The QtWebKit backend
* macOS 10.14 (via Homebrew)
* 32-bit Windows (via Qt)
* Windows 8 (via Qt)
* Windows 10 before 1809 (via Qt)
* Possibly other more minor dependency changes
- The `:rl-unix-word-rubout` command (`<Ctrl-W>` in command/prompt modes) has
been deprecated. Use `:rl-rubout " "` instead.
- The `:rl-unix-filename-rubout` command has been deprecated. Use either
`:rl-rubout "/ "` (classic readline behavior) or `:rl-filename-rubout` (using
OS path separator and ignoring spaces) instead.
Changed
- Improved message if a spawned process wasn't found and a Flatpak container is
in use.
- The `:tab-move` command now takes `start` and `end` as `index` to move a tab
to the first/last position.
- Tests now automatically pick the backend (QtWebKit/QtWebEngine) based on
what's available. The `QUTE_BDD_WEBENGINE` environment variable and
`--qute-bdd-webengine` argument got replaced by `QUTE_TESTS_BACKEND` and
`--qute-backend` respectively, which can be set to either `webengine` or
`webkit`.
- Using `:tab-give` or `:tab-take` on the last tab in a window now always
closes that window, no matter what `tabs.last_close` is set to.
- Redesigned `qute://settings` (`:set`) page with buttons for options with
fixed values.
- The default `hint.selectors` now match more ARIA roles (`tab`, `checkbox`,
`menuitem`, `menuitemcheckbox` and `menuitemradio`).
- Using e.g. `:bind --mode=passthrough` now scrolls to the passthrough section
on the `qute://bindings` page.
- Clicking on a notification now tries to focus the tab where the notification
is coming from. Note this might not work properly if there is more than one
tab from the same host open.
- Improvements to userscripts:
* `qute-bitwarden` understands a new `--password-prompt-invocation`, which can
be used to specify a tool other than `rofi` to ask for a password.
* `cast` now uses `yt-dlp` if available (falling back to `youtube-dl` if not).
It also lets users override the tool to use via a `QUTE_CAST_YTDL_PROGRAM`
environment variable.
* `qute-pass` now understands a new `--prefix` argument if used in gopass
mode, which gets passed as subfolder prefix to `gopass`.
* `open_download` now supports Flatpak by using its XDG Desktop Portal.
* `open_download` now waits for the exit status of `xdg-open`, causing
qutebrowser to report any issues with it.
- The `content.headers.custom` setting now accepts empty strings as values,
resulting in an empty header being sent.
- Renamed settings:
* `qt.low_end_device_mode` -> `qt.chromium.low_end_device_mode`
* `qt.process_model` -> `qt.chromium.process_model`
- System-wide userscripts are now discovered from the correct location when
running via Flatpak (`/app/share` rather than `/usr/share`).
- Filename prompts now don't display a `..` entry in the list of files anymore.
To get back to the parent directory, either type `../` manually, or use the new
`:rl-filename-rubout` command, bound to `<Ctrl-Shift-W>` by default.
Added
- New `input.match_counts` option which allows to turn off count matching for
more emacs-like bindings.
- New `{relative_index}` field for `tabs.title.format` (and `.pinned_format`)
which shows relative tab numbers.
- New `input.mode_override` option which allows overriding the current mode
based on the new URL when navigating or switching tabs.
- New `qt.chromium.sandboxing` setting which allows to disable Chromium's
sandboxing (mainly intended for development and testing).
- New `QUTE_TAB_INDEX` variable for userscripts, containing the index of the
current tab.
- New `editor.remove_file` setting which can be set to `False` to keep all
temporary editor files after closing the external editor.
- New `:rl-rubout` command replacing `:rl-unix-word-rubout` (and optionally
`:rl-unix-filename-rubout`), taking a delimiter as argument.
- New `:rl-filename-rubout` command, using the OS path separator and ignoring
spaces. The command also gets shown in the suggested commands for a download
filename prompt now.
Fixed
- When `search.incremental` is disabled, searching using `/text` followed by a
backwards search via `?text` (or vice-versa) now correctly changes the search
direction.
- Elements getting a hint due to a `tabindex` now are skipped if it's set to
`-1`, reducing some false-positives.
- The audible indicator (`[A]`) now uses a 2s cooldown when the audio goes
silent, equivalent with the behavior of older QtWebEngine versions.
- With `confirm_quit` set to `downloads`, the confirmation dialog is now only
shown when closing the last window (rather than closing any window, which
would continue running that window's downloads). Unfortunately, more issues
with `confirm_quit` and multiple windows remain.
- Crash when a previous crash-log file contains non-ASCII characters (which
should never happen unless it was edited manually)
- Due to changes in Debian, an old workaround (for broken QtWebEngine patching
on Debian) caused the inferior qutebrowser error page to be displayed, when
Chromium's would have worked fine. The workaround was now dropped.
- Crash when using `<Ctrl-D>` (`:completion-item-del`) in the `:tab-focus`
list, rather than `:tab-select`.
- Work around a Qt issue causing `:spawn` to run executables from the current
directory if no system-wide executable was found. The underlying Qt bug is
tracked as [CVE-2022-25255](https://lists.qt-project.org/pipermail/announce/2022-February/000333.html),
though the impact with typical qutebrowser usage is low: Normally,
qutebrowser is run from a fixed location (usually the users home directory),
and `:spawn` is not typically used with executables that don't exist. The main
security impact of this bug is in tools like text editors, which are often
executed in untrusted directories and might attempt to run auxiliary tools
automatically.
- When `:rl-rubout` or `:rl-filename-rubout` (formerly `:rl-unix-word-rubout`
and `:rl-unix-filename-rubout`) were used on a string not starting with the
given delimiter, they failed to delete the first character, which is now fixed.
- Fixes in userscripts:
* `ripbang` now works again (it got blocked due to a missing user agent and
used outdated qutebrowser commands before)
* `keepassxc` now has a properly working `--insecure` flag
- Speculative fix for an immediate crash at start with the macOS/Windows
binaries (in certain rare environments).
- Speculative fix for a qutebrowser crash when the notification daemon crashes
while showing the notification.
- Fix crash when using `:screenshot` with an invalid `--rect` argument.
- Added a site-specific quirk to make cookie dialogs on StackExchange pages
(such as Stack Overflow) work on Qt 5.12.
Scan your Python project for dependency vulnerabilities in two minutes
Scan your application