[epiphany/gnome-3-36] about-handler: properly encode page title/URL in about:overview

From: Michael Catanzaro <mcatanzaro src gnome org>
To: commits-list gnome org
Cc:
Subject: [epiphany/gnome-3-36] about-handler: properly encode page title/URL in about:overview
Date: Thu, 16 Dec 2021 16:45:49 +0000 (UTC)

commit c632f5a9dda33357d7fc6054eade0dd1ce45c75e
Author: Michael Catanzaro <mcatanzaro redhat com>
Date:   Tue Dec 14 16:43:05 2021 -0600

    about-handler: properly encode page title/URL in about:overview
    
    Otherwise, web pages can execute code in about:overview via a malicious
    page title. It might be possible to do the same via the URL, so better
    encode that too.
    
    Fixes #1612
    
    Part-of: <https://gitlab.gnome.org/GNOME/epiphany/-/merge_requests/1045>

 embed/ephy-about-handler.c | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)
---
diff --git a/embed/ephy-about-handler.c b/embed/ephy-about-handler.c
index 029aa64c6..7ed63cb50 100644
--- a/embed/ephy-about-handler.c
+++ b/embed/ephy-about-handler.c
@@ -27,6 +27,7 @@
 #include "ephy-file-helpers.h"
 #include "ephy-flatpak-utils.h"
 #include "ephy-history-service.h"
+#include "ephy-output-encoding.h"
 #include "ephy-prefs.h"
 #include "ephy-settings.h"
 #include "ephy-smaps.h"
@@ -407,7 +408,9 @@ history_service_query_urls_cb (EphyHistoryService     *history,
     EphyHistoryURL *url = (EphyHistoryURL *)l->data;
     const char *snapshot;
     g_autofree char *thumbnail_style = NULL;
-    g_autofree char *markup = NULL;
+    g_autofree char *entity_encoded_title = NULL;
+    g_autofree char *attribute_encoded_title = NULL;
+    g_autofree char *encoded_url = NULL;
 
     snapshot = ephy_snapshot_service_lookup_cached_snapshot_path (snapshot_service, url->url);
     if (snapshot)
@@ -415,15 +418,19 @@ history_service_query_urls_cb (EphyHistoryService     *history,
     else
       ephy_embed_shell_schedule_thumbnail_update (shell, url);
 
-    markup = g_markup_escape_text (url->title, -1);
+    /* Title and URL are controlled by web content and could be malicious. */
+    entity_encoded_title = ephy_encode_for_html_entity (url->title);
+    attribute_encoded_title = ephy_encode_for_html_attribute (url->title);
+    encoded_url = ephy_encode_for_html_attribute (url->url);
     g_string_append_printf (data_str,
                             "<a class=\"overview-item\" title=\"%s\" href=\"%s\">"
                             "  <div class=\"overview-close-button\" title=\"%s\"></div>"
                             "  <span class=\"overview-thumbnail\"%s></span>"
                             "  <span class=\"overview-title\">%s</span>"
                             "</a>",
-                            markup, url->url, _("Remove from overview"),
-                            thumbnail_style ? thumbnail_style : "", url->title);
+                            attribute_encoded_title, encoded_url, _("Remove from overview"),
+                            thumbnail_style ? thumbnail_style : "",
+                            entity_encoded_title);
   }
 
   for (guint idx = list_length; idx < 9; idx++) {

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]