This release was planned for later, but we've discovered a potential vulnerability in the way we treat internal pages. We consider it necessary to release a new version with a security patch. We urge everyone using Nyxt 3 pre-release 1 to update their installation to be safe.
The vulnerability is the following: we used to
read-from-string Lisp code from the URL path of the pages currently open in all Nyxt buffers. Given that Lisp reader allows code evaluation by default, this could've caused arbitrary code execution in Nyxt. The scope of this vulnerability is quite restricted, though:
- The URL-parsing library we use, QURI, strips off at least the most dangerous constructs, like
#.reader macro and quasi-quoted lists.
- Not all URLs are recognized as readable by the Lisp reader, causing reader errors and thus inability to evaluate the code.
- The vulnerability only concerns Nyxt 3, while Nyxt 2, including the most used Nyxt 2.2.4, are both safe.
Artyom has pushed a fix restricting the URLs being parsed to strictly the internal ones, in commit eebf1f8d7, which is included in the Nyxt 3 pre-release 2.
Dangerous things aside, this pre-release still has lots of other bug fixes and new features added, making for a smooth usage experience and complete browser introspection.
Please feel free to share your feedback on our GitHub issue tracker!
You can download Nyxt 3 Pre-release 2 here.
reduce-tracking-modecleans widely known tracking query parameters.
- Improve the algorithm that determines whether an element is in viewport.
nyxt/hint-mode:highlighted-box-styleand merge it into
hint-mode's image support by default.
nyxt/hint-mode:compute-hints-in-view-port-pallowing hints to be optionally computed in viewport.
nyxt/hint-mode:fit-to-prompt-pminimizing the space taken by
prompt-bufferwhile navigating hints.
nyxt/hint-mode:show-hint-scope-pfor element highlighting of hinted elements.
marks-actionsthat run when marked items on
nyxt/hint-mode:styleto accommodate for marked hints.
default-modescan be configured with
toggle-maximizecommand for maximizing a window.
- All copying and pasting commands populate
clipboard-ringreliably, thus fixing the
- Major improvement of
execute-commandevaluates arbitrary Lisp code and provides inline documentation for symbols.
- Extend keybinding for all keyschemes in
M-yin Emacs keyscheme.
- Bind familiar keys for text cutting in
- Improve version parsing so that it is aware of pre-releases (notice that it propagates to reader macros such as
- Fix touchscreen gestures for VI mode.
- Fix processing via relative paths when opening files.
nilno longer hangs the browser.
- Fix buffer re-attachment from the deleted window.
- Move download hooks to
download-modeenabling proper typing and adding handlers to them.
- Clipboard ring is properly filled on every clipboard action happening inside Nyxt.
view-sourcereturns an unmodified DOM without
nyxt-identifier-s or other Nyxt-specific implementation details.
history-backwardsby gracefully handling pages that are not yet done loading.
- Fix full-screening event handling—status buffer no longer goes off-sync with the full-screened page/video.
Did you enjoy this article? Register for our newsletter to receive the latest hacker news from the world of Lisp and browsers!
- Maximum one email per month
- Unsubscribe at any time