packages/epiphany
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix CVE-2023-26081

Browse Source
This commit is contained in:
liweiganga 2023-02-23 14:43:50 +08:00
parent 4518763f45
commit 97d361f193
2 changed files with 91 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

85
CVE-2023-26081.patch Normal file
View File

@ -0,0 +1,85 @@
From 53363c3c8178bf9193dad9fa3516f4e10cff0ffd Mon Sep 17 00:00:00 2001
From: Michael Catanzaro <mcatanzaro@redhat.com>
Date: Fri, 3 Feb 2023 13:07:15 -0600
Subject: [PATCH] Don't autofill passwords in sandboxed contexts
If using the sandbox CSP or iframe tag, the web content is supposed to
be not trusted by the main resource origin. Therefore, we'd better
disable the password manager entirely so the untrusted web content
cannot exfiltrate passwords.
https://github.com/google/security-research/security/advisories/GHSA-mhhf-w9xw-pp9x
Part-of: <https://gitlab.gnome.org/GNOME/epiphany/-/merge_requests/1275>
---
.../resources/js/ephy.js | 26 +++++++++++++++++++
1 file changed, 26 insertions(+)
diff --git a/embed/web-process-extension/resources/js/ephy.js b/embed/web-process-extension/resources/js/ephy.js
index 6fccd3d94..d1c42adbc 100644
--- a/embed/web-process-extension/resources/js/ephy.js
+++ b/embed/web-process-extension/resources/js/ephy.js
@@ -354,6 +354,12 @@ Ephy.hasModifiedForms = function()
}
};
+Ephy.isSandboxedWebContent = function()
+{
+ // https://github.com/google/security-research/security/advisories/GHSA-mhhf-w9xw-pp9x
+ return self.origin === null || self.origin === 'null';
+};
+
Ephy.PasswordManager = class PasswordManager
{
constructor(pageID, frameID)
@@ -387,6 +393,11 @@ Ephy.PasswordManager = class PasswordManager
query(origin, targetOrigin, username, usernameField, passwordField)
{
+ if (Ephy.isSandboxedWebContent()) {
+ Ephy.log(`Not querying passwords for origin=${origin} because web content is sandboxed`);
+ return Promise.resolve(null);
+ }
+
Ephy.log(`Querying passwords for origin=${origin}, targetOrigin=${targetOrigin}, username=${username}, usernameField=${usernameField}, passwordField=${passwordField}`);
return new Promise((resolver, reject) => {
@@ -398,6 +409,11 @@ Ephy.PasswordManager = class PasswordManager
save(origin, targetOrigin, username, password, usernameField, passwordField, isNew)
{
+ if (Ephy.isSandboxedWebContent()) {
+ Ephy.log(`Not saving password for origin=${origin} because web content is sandboxed`);
+ return;
+ }
+
Ephy.log(`Saving password for origin=${origin}, targetOrigin=${targetOrigin}, username=${username}, usernameField=${usernameField}, passwordField=${passwordField}, isNew=${isNew}`);
window.webkit.messageHandlers.passwordManagerSave.postMessage({
@@ -409,6 +425,11 @@ Ephy.PasswordManager = class PasswordManager
// FIXME: Why is pageID a parameter here?
requestSave(origin, targetOrigin, username, password, usernameField, passwordField, isNew, pageID)
{
+ if (Ephy.isSandboxedWebContent()) {
+ Ephy.log(`Not requesting to save password for origin=${origin} because web content is sandboxed`);
+ return;
+ }
+
Ephy.log(`Requesting to save password for origin=${origin}, targetOrigin=${targetOrigin}, username=${username}, usernameField=${usernameField}, passwordField=${passwordField}, isNew=${isNew}`);
window.webkit.messageHandlers.passwordManagerRequestSave.postMessage({
@@ -428,6 +449,11 @@ Ephy.PasswordManager = class PasswordManager
queryUsernames(origin)
{
+ if (Ephy.isSandboxedWebContent()) {
+ Ephy.log(`Not querying usernames for origin=${origin} because web content is sandboxed`);
+ return Promise.resolve(null);
+ }
+
Ephy.log(`Requesting usernames for origin=${origin}`);
return new Promise((resolver, reject) => {
--
GitLab

7
epiphany.spec
View File

@ -4,7 +4,7 @@
Name: epiphany Name: epiphany
Epoch: 1 Epoch: 1
Version: 40.6 Version: 40.6
Release: 2 Release: 3
Summary: Web browser for GNOME Summary: Web browser for GNOME
License: GPL-3.0+ and LGPL-2.1 and MIT and GPL+ and ISC License: GPL-3.0+ and LGPL-2.1 and MIT and GPL+ and ISC
URL: https://wiki.gnome.org/Apps/Web URL: https://wiki.gnome.org/Apps/Web
@ -12,6 +12,8 @@ Source0: https://download.gnome.org/sources/epiphany/40/%{name}-%{ve
Patch0: epiphany-default-bookmarks-openeuler.patch Patch0: epiphany-default-bookmarks-openeuler.patch
# https://gitlab.gnome.org/GNOME/epiphany/-/issues/1766 # https://gitlab.gnome.org/GNOME/epiphany/-/issues/1766
Patch1: CVE-2022-29536.patch Patch1: CVE-2022-29536.patch
# https://gitlab.gnome.org/GNOME/epiphany/-/merge_requests/1275
Patch2: CVE-2023-26081.patch
BuildRequires: desktop-file-utils gcc gettext-devel iso-codes-devel itstool BuildRequires: desktop-file-utils gcc gettext-devel iso-codes-devel itstool
BuildRequires: libappstream-glib-devel meson pkgconfig(cairo) pkgconfig(evince-document-3.0) BuildRequires: libappstream-glib-devel meson pkgconfig(cairo) pkgconfig(evince-document-3.0)
@ -97,6 +99,9 @@ desktop-file-validate $RPM_BUILD_ROOT%{_datadir}/applications/*.desktop
%config(noreplace)%{_sysconfdir}/ld.so.conf.d/%{name}-%{_arch}.conf %config(noreplace)%{_sysconfdir}/ld.so.conf.d/%{name}-%{_arch}.conf
%changelog %changelog
* Thu Feb 23 2023 liweiganga <liweiganga@uniontech.com> 1:40.6-3
- fix CVE-2023-26081
* Fri Sep 9 2022 lin zhang <lin.zhang@turbolinux.com.cn> 1:40.6-2 * Fri Sep 9 2022 lin zhang <lin.zhang@turbolinux.com.cn> 1:40.6-2
- fix issue #I5QHPI - fix issue #I5QHPI