[epiphany/mcatanzaro/xss-gnome-40: 7/13] view-source-handler: encode data passed to highlight.js




commit 076f181a7f505d159247c80392fb1171796754d3
Author: Michael Catanzaro <mcatanzaro redhat com>
Date:   Tue Dec 14 16:47:00 2021 -0600

    view-source-handler: encode data passed to highlight.js
    
    The actual data here should be good already because it gets escaped by
    GLib, but this function is really designed for use in XML, so let's
    switch to the simpler Epiphany function designed for anti-XSS to make it
    more clear what's going on here.
    
    The URL is probably vulnerable, though, since a malicious URL could
    conceivably try to escape the HTML entity context. Encode that.
    
    Part-of: <https://gitlab.gnome.org/GNOME/epiphany/-/merge_requests/1045>

 embed/ephy-view-source-handler.c | 18 +++++++++++++-----
 1 file changed, 13 insertions(+), 5 deletions(-)
---
diff --git a/embed/ephy-view-source-handler.c b/embed/ephy-view-source-handler.c
index 52e29519c..f52a48dee 100644
--- a/embed/ephy-view-source-handler.c
+++ b/embed/ephy-view-source-handler.c
@@ -23,6 +23,7 @@
 
 #include "ephy-embed-container.h"
 #include "ephy-embed-shell.h"
+#include "ephy-output-encoding.h"
 #include "ephy-web-view.h"
 
 #include <gio/gio.h>
@@ -109,7 +110,9 @@ web_resource_data_cb (WebKitWebResource     *resource,
                       EphyViewSourceRequest *request)
 {
   g_autofree guchar *data = NULL;
-  g_autofree char *escaped_str = NULL;
+  g_autofree char *data_str = NULL;
+  g_autofree char *encoded_str = NULL;
+  g_autofree char *encoded_uri = NULL;
   g_autoptr (GError) error = NULL;
   g_autofree char *html = NULL;
   gsize length;
@@ -120,8 +123,13 @@ web_resource_data_cb (WebKitWebResource     *resource,
     return;
   }
 
-  /* Warning: data is not a string, so we pass length here because it's not NUL-terminated. */
-  escaped_str = g_markup_escape_text ((const char *)data, length);
+  /* Convert data to a string */
+  data_str = g_malloc (length + 1);
+  memcpy (data_str, data, length);
+  data_str[length] = '\0';
+
+  encoded_str = ephy_encode_for_html_entity (data_str);
+  encoded_uri = ephy_encode_for_html_entity (webkit_web_resource_get_uri (resource));
 
   html = g_strdup_printf ("<head>"
                           "  <link rel='stylesheet' 
href='ephy-resource:///org/gnome/epiphany/highlightjs/nnfx.css' media='(prefers-color-scheme: no-preference), 
(prefers-color-scheme: light)'>"
@@ -136,8 +144,8 @@ web_resource_data_cb (WebKitWebResource     *resource,
                           "          hljs.initLineNumbersOnLoad();</script>"
                           "  <pre><code class='html'>%s</code></pre>"
                           "</body>",
-                          webkit_web_resource_get_uri (resource),
-                          escaped_str);
+                          encoded_uri,
+                          encoded_str);
 
   finish_uri_scheme_request (request, g_steal_pointer (&html), NULL);
 }


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]