Headline
CVE-2020-15660: Release 0.27.0 · mozilla/geckodriver
Missing checks on Content-Type headers in geckodriver before 0.27.0 could lead to a CSRF vulnerability, that might, when paired with a specifically prepared request, lead to remote code execution.
- Releases
- v0.27.0
0.27.0 (2020-07-27, 7b8c4f32cdde
)****Security Fixes
CVE-2020-15660
Added additional checks on the
Content-Type
header forPOST
requests to disallowapplication/x-www-form-urlencoded
,multipart/form-data
andtext/plain
.Added checking of the
Origin
header forPOST
requests.The version number of Firefox is now checked when establishing a session.
Known problems
macOS 10.15 (Catalina):
Due to the requirement from Apple that all programs must be notarized, geckodriver will not work on Catalina if you manually download it through another notarized program, such as Firefox.
Whilst we are working on a repackaging fix for this problem, you can find more details on how to work around this issue in the macOS notarization section of the documentation.
Android:
Marionette will only be enabled in GeckoView based applications when the
Firefox preferencedevtools.debugger.remote-enabled
is set toTrue
via
moz:firefoxOptions
. This will be fixed in the Firefox 90 release for Android.In some cases geckodriver could crash due to a stack overflow when handling
certain device errors.
Added
To set environment variables for the launched Firefox for Android, it is now possible to add an
env
object onmoz:firefoxOptions
(note: this is not supported for Firefox Desktop)Support for print-to-PDF
The newly standardised WebDriver [Print] endpoint provides a way to render pages to a paginated PDF representation. This endpoint is supported by geckodriver when using Firefox version ≥78.
Support for same-site cookies
Cookies can now be set with a
same-site
parameter, and the value of that parameter will be returned when cookies are retrieved. Requires Firefox version ≥79. Thanks to Peter Major for the patch.
Fixed
Android:
Firefox running on Android devices can now be controlled from a Windows host.
Setups with multiple connected Android devices are now supported.
Improved cleanup of configuration files. This prevents crashes if the application is started manually after launching it through geckodriver.
Windows and Linux binaries are again statically linked.