hiro/tridactyl
1
0
Fork 0
mirror of https://github.com/vale981/tridactyl synced 2025-03-06 01:51:40 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions
3159 commits 128 branches 79 tags 35 MiB
Commit graph

3159 commits

This branch
This branch
All branches
Author SHA1 Message Date
Oliver Blanthorn
d129c47913
Switch to cmcaine's shell escape library 2019-07-02 16:48:47 +01:00
Colin Caine
a71398dc1e
nativeopen: fix shell escaping 2019-07-02 16:48:47 +01:00
Colin Caine
2e591272a5
hinting: make rapid mpv hint mode safe 2019-07-02 16:48:47 +01:00
Colin Caine
d2106c8b3e
release 1.16.0 2019-07-02 16:48:47 +01:00
Colin Caine
b53bbe9c01
script to thank contributors in changelog 2019-07-02 16:48:47 +01:00
Colin Caine
0faf4be41a
This allowed malicious web pages to send artificial key events to 
the  parsers for  all modes  except the  command line  (which has
always been protected inside an iframe).

If the native  messenger was not installed, the bug  could not be
exploited  for  any more  than  nuisance  attacks (closing  tabs,
quitting Firefox,  etc.). If the native  messenger was installed,
an attack using the mpv hint  mode (bound to `;v` by default) and
a specially crafted link would  allow an attacker to execute some
commands  in the  user's shell.  Due  to the  way hyperlinks  are
encoded,  it  would  require  more  cunning  than  the  Tridactyl
developers possess to usefully exploit as it is difficult to pass
arguments to commands.

This  did mean  that the  standard output  of mpv  (including the
attacker's URL) was  also available to an attacker  via pipes. We
are not  aware of any way  to abuse that with  commonly installed
utilities.

We are unaware of any pages exploiting this in the wild.

Nevertheless, this security regression  should not have happened.
A short incident report follows:

These  checks were  accidentally  removed when  key handling  was
rewritten in  September 2018. The PR  was reviewed, but it  was a
large PR and the regression was missed by the reviewers.

We became aware of the regression after a question in our support
chat prompted  @glacambre to check  on exactly how we  were using
`isTrusted` and they realised that we weren't using it any more.

We  will  shortly  introduce  automated testing  to  check  these
security properties that we rely on.

We will  consider adding a  check to continuous  integration that
flags any change  to files containing security  relevant code for
more detailed review.

Affected versions: - Tridactyl 1.14.0 - 1.14.10, 1.15.0.

Mitigation:

- Update to Tridactyl 1.16.0+ or 1.14.13+

- If  updating is  unfeasible, we  recommend removing  the native
messenger by running `:! pwd` in Tridactyl and then deleting that
directory from your filesystem.

-  If  you've  thought  of   a  clever  exploit,  please  contact
bovine3dom or cmcaine privately on Matrix or by email.
 2019-07-02 16:45:31 +01:00
dependabot-preview[bot]
50c7c68f93
Bump selenium-webdriver from 4.0.0-alpha.1 to 4.0.0-alpha.4 
Bumps [selenium-webdriver](https://github.com/SeleniumHQ/selenium) from 4.0.0-alpha.1 to 4.0.0-alpha.4.
- [Release notes](https://github.com/SeleniumHQ/selenium/releases)
- [Commits](https://github.com/SeleniumHQ/selenium/commits)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
 2019-06-25 05:45:09 +00:00
Guillermo R. Palavecino
ed5d1b0bd4 Add a reference to editor functions in :help bind 2019-06-24 17:31:39 -03:00
dependabot-preview[bot]
10e7941eab
Bump webpack-cli from 3.3.4 to 3.3.5 
Bumps [webpack-cli](https://github.com/webpack/webpack-cli) from 3.3.4 to 3.3.5.
- [Release notes](https://github.com/webpack/webpack-cli/releases)
- [Changelog](https://github.com/webpack/webpack-cli/blob/master/CHANGELOG.md)
- [Commits](https://github.com/webpack/webpack-cli/compare/v3.3.4...v3.3.5)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
 2019-06-24 06:06:15 +00:00
dependabot-preview[bot]
49ea3a25dc
Bump tslint from 5.17.0 to 5.18.0 
Bumps [tslint](https://github.com/palantir/tslint) from 5.17.0 to 5.18.0.
- [Release notes](https://github.com/palantir/tslint/releases)
- [Changelog](https://github.com/palantir/tslint/blob/master/CHANGELOG.md)
- [Commits](https://github.com/palantir/tslint/compare/5.17.0...5.18.0)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
 2019-06-24 06:04:46 +00:00
Joao Sa
bf29d268cb sligtly increase wait for guiset write to reduce test failure 2019-06-23 21:39:37 -03:00
Joao Sa
bf3862f4df cmd.exe's echo doesn't take -n 2019-06-23 20:24:48 -03:00
Joao Sa
2a9ac030df Fix e2e tests on windows 
- Also slightly increased wait for setpref write to reduce test failure
 2019-06-23 19:25:27 -03:00
Joao Sa
0507bd4bbf Fix editor and rcfile encoding errors 2019-06-23 10:04:21 -03:00
Oliver Blanthorn
0486595154
Make ;v safer 2019-06-20 23:09:21 +01:00
dependabot-preview[bot]
79df58b9b6
Bump @types/jest from 24.0.13 to 24.0.14 
Bumps [@types/jest](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/jest) from 24.0.13 to 24.0.14.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/jest)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
 2019-06-20 23:09:21 +01:00
dependabot-preview[bot]
0fb4725891
Bump @types/jest from 24.0.14 to 24.0.15 
Bumps [@types/jest](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/jest) from 24.0.14 to 24.0.15.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/jest)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
 2019-06-17 09:14:40 +00:00
Oliver Blanthorn
be119b3d4e
Make ;v safer 2019-06-14 11:18:49 +01:00
dependabot-preview[bot]
dcab6eaac3
Bump typescript from 3.5.1 to 3.5.2 
Bumps [typescript](https://github.com/Microsoft/TypeScript) from 3.5.1 to 3.5.2.
- [Release notes](https://github.com/Microsoft/TypeScript/releases)
- [Commits](https://github.com/Microsoft/TypeScript/commits)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
 2019-06-14 08:47:48 +00:00
Oliver Blanthorn
0f784d9607
Merge pull request #1679 from tridactyl/dependabot/npm_and_yarn/@types/jest-24.0.14 
Bump @types/jest from 24.0.13 to 24.0.14
 2019-06-13 12:26:38 +01:00
Oliver Blanthorn
1dda427567
Merge pull request #1680 from tridactyl/dependabot/npm_and_yarn/webpack-4.34.0 
Bump webpack from 4.33.0 to 4.34.0
 2019-06-13 12:00:43 +01:00
dependabot-preview[bot]
95f5422949
Bump webpack from 4.33.0 to 4.34.0 
Bumps [webpack](https://github.com/webpack/webpack) from 4.33.0 to 4.34.0.
- [Release notes](https://github.com/webpack/webpack/releases)
- [Commits](https://github.com/webpack/webpack/compare/v4.33.0...v4.34.0)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
 2019-06-13 08:47:04 +00:00
dependabot-preview[bot]
1883bfa5e2
Bump @types/jest from 24.0.13 to 24.0.14 
Bumps [@types/jest](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/jest) from 24.0.13 to 24.0.14.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/jest)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
 2019-06-13 08:46:31 +00:00
Oliver Blanthorn
01fc419cfa
Merge pull request #1677 from tridactyl/dependabot/npm_and_yarn/@types/node-12.0.8 
Bump @types/node from 12.0.7 to 12.0.8
 2019-06-12 11:46:40 +02:00
dependabot-preview[bot]
a0f1c15020
Bump @types/node from 12.0.7 to 12.0.8 
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 12.0.7 to 12.0.8.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
 2019-06-12 08:55:43 +00:00
Oliver Blanthorn
4e606091ea
Merge pull request #1676 from tridactyl/dependabot/npm_and_yarn/webpack-cli-3.3.4 
Bump webpack-cli from 3.3.2 to 3.3.4
 2019-06-12 08:36:38 +02:00
Oliver Blanthorn
ecb6686c59
Merge pull request #1674 from tridactyl/dependabot/npm_and_yarn/immer-3.1.3 
Bump immer from 3.1.2 to 3.1.3
 2019-06-12 08:34:49 +02:00
dependabot-preview[bot]
0949ea3840
Bump webpack-cli from 3.3.2 to 3.3.4 
Bumps [webpack-cli](https://github.com/webpack/webpack-cli) from 3.3.2 to 3.3.4.
- [Release notes](https://github.com/webpack/webpack-cli/releases)
- [Changelog](https://github.com/webpack/webpack-cli/blob/master/CHANGELOG.md)
- [Commits](https://github.com/webpack/webpack-cli/compare/v3.3.2...v3.3.4)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
 2019-06-11 08:54:30 +00:00
dependabot-preview[bot]
cd68885f13
Bump immer from 3.1.2 to 3.1.3 
Bumps [immer](https://github.com/immerjs/immer) from 3.1.2 to 3.1.3.
- [Release notes](https://github.com/immerjs/immer/releases)
- [Commits](https://github.com/immerjs/immer/compare/v3.1.2...v3.1.3)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
 2019-06-10 09:11:52 +00:00
Oliver Blanthorn
727de21e04
Merge pull request #1667 from tridactyl/dependabot/npm_and_yarn/@types/node-12.0.7 
Bump @types/node from 12.0.5 to 12.0.7
 2019-06-07 13:49:02 +01:00
dependabot-preview[bot]
abe81076f9
Bump @types/node from 12.0.5 to 12.0.7 
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 12.0.5 to 12.0.7.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
 2019-06-07 08:47:22 +00:00
Colin Caine
277de2314b Fix #214 
Refactors bookmark and history searching to a new file as well
 2019-06-06 13:23:30 +01:00
Colin Caine
fe42846859 completions/bmarks: dedupe completions 
Firefox discourages having more than one bookmark to the same URL, but
it can happen anyway due to sync bugs or something (I have duplicate
bookmarks, anyway).

This patch deduplicates bookmarks.
 2019-06-06 12:10:07 +01:00
Oliver Blanthorn
417b982762
Merge pull request #1662 from tridactyl/dependabot/npm_and_yarn/@types/node-12.0.5 
Bump @types/node from 12.0.4 to 12.0.5
 2019-06-06 11:48:59 +01:00
Oliver Blanthorn
32ac11fe9d Ensure one history completion for real 2019-06-06 10:41:17 +01:00
dependabot-preview[bot]
2368ea7d33
Bump @types/node from 12.0.4 to 12.0.5 
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 12.0.4 to 12.0.5.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
 2019-06-06 09:00:51 +00:00
Oliver Blanthorn
2485b1d2c2
Remove overlapping bind 2019-06-05 18:08:58 +01:00
Oliver Blanthorn
53e4a4ec4b
Add ftdetect to generated RCs 2019-06-05 17:02:04 +01:00
Oliver Blanthorn
1db0e07363
Reduce hintdelay in rc 2019-06-05 16:54:57 +01:00
Oliver Blanthorn
973ae858b7
Explain workaround for semicolons in composite 2019-06-05 16:51:34 +01:00
WorldCodeCentral
edfad5b702
Add context menu hint mode to rc 2019-06-05 16:47:01 +01:00
Oliver Blanthorn
11a6c608ae
Fix yarn conflicts 
It wasn't using our theme fork or the node-shell-quote fork
 2019-06-05 16:43:00 +01:00
Oliver Blanthorn
e53e35a6dc
Merge branch 'persist-completion-selection' 2019-06-05 16:11:31 +01:00
Oliver Blanthorn
794802b7bd
Ensure we can't ever have two completions selected 2019-06-05 16:11:14 +01:00
Oliver Blanthorn
3871e01934
Merge pull request #1659 from tridactyl/dependabot/npm_and_yarn/webpack-4.33.0 
Bump webpack from 4.32.2 to 4.33.0
 2019-06-05 09:54:30 +01:00
dependabot-preview[bot]
4b5f2c6749
Bump webpack from 4.32.2 to 4.33.0 
Bumps [webpack](https://github.com/webpack/webpack) from 4.32.2 to 4.33.0.
- [Release notes](https://github.com/webpack/webpack/releases)
- [Commits](https://github.com/webpack/webpack/compare/v4.32.2...v4.33.0)
 2019-06-05 08:50:36 +00:00
Colin Caine
46b7482f03 Persist history completion selection if it is still valid on source update 2019-06-04 19:57:31 +01:00
Colin Caine
98c107a2d2 Fix #1656 
Keyseq is adding a count to the end of response.exstr. Stop that everywhere in exmode.
 2019-06-04 18:10:45 +01:00
Oliver Blanthorn
575bd5d745
Add argument for rot13 2019-06-04 17:29:25 +01:00
Oliver Blanthorn
7312a0868f
Update changelog for 1.16.0 2019-06-04 13:00:44 +01:00