Headline
CVE-2020-15660: Release 0.27.0 · mozilla/geckodriver
Missing checks on Content-Type headers in geckodriver before 0.27.0 could lead to a CSRF vulnerability, that might, when paired with a specifically prepared request, lead to remote code execution.
- Releases
- v0.27.0
0.27.0 (2020-07-27, 7b8c4f32cdde)****Security Fixes
- CVE-2020-15660 - Added additional checks on the - Content-Typeheader for- POSTrequests to disallow- application/x-www-form-urlencoded,- multipart/form-dataand- text/plain.
- Added checking of the - Originheader for- POSTrequests.
- The version number of Firefox is now checked when establishing a session. 
 
Known problems
- macOS 10.15 (Catalina): - Due to the requirement from Apple that all programs must be notarized, geckodriver will not work on Catalina if you manually download it through another notarized program, such as Firefox. - Whilst we are working on a repackaging fix for this problem, you can find more details on how to work around this issue in the macOS notarization section of the documentation. 
- Android: - Marionette will only be enabled in GeckoView based applications when the 
 Firefox preference- devtools.debugger.remote-enabledis set to- Truevia
 - moz:firefoxOptions. This will be fixed in the Firefox 90 release for Android.- In some cases geckodriver could crash due to a stack overflow when handling 
 certain device errors.
Added
- To set environment variables for the launched Firefox for Android, it is now possible to add an - envobject on- moz:firefoxOptions(note: this is not supported for Firefox Desktop)
- Support for print-to-PDF - The newly standardised WebDriver [Print] endpoint provides a way to render pages to a paginated PDF representation. This endpoint is supported by geckodriver when using Firefox version ≥78. 
- Support for same-site cookies - Cookies can now be set with a - same-siteparameter, and the value of that parameter will be returned when cookies are retrieved. Requires Firefox version ≥79. Thanks to Peter Major for the patch.
Fixed
- Android: - Firefox running on Android devices can now be controlled from a Windows host. 
- Setups with multiple connected Android devices are now supported. 
- Improved cleanup of configuration files. This prevents crashes if the application is started manually after launching it through geckodriver. 
 
- Windows and Linux binaries are again statically linked.