[epiphany] Don't crash on escaped null characters

From: Michael Catanzaro <mcatanzaro src gnome org>
To: commits-list gnome org
Cc:
Subject: [epiphany] Don't crash on escaped null characters
Date: Mon, 21 Sep 2015 14:51:11 +0000 (UTC)
commit 5f0cac6c373b5f41bdb24b4762487bae93331c61
Author: Michael Catanzaro <mcatanzaro igalia com>
Date:   Sat Sep 19 19:55:48 2015 -0500

    Don't crash on escaped null characters
    
    Disallow escaped slashes as well.
    
    https://bugzilla.gnome.org/show_bug.cgi?id=755287

 embed/ephy-web-view.c                    |   16 ++++++++++------
 lib/ephy-uri-helpers.c                   |   15 +++++++++++++++
 lib/ephy-uri-helpers.h                   |    1 +
 lib/widgets/ephy-download-widget.c       |    5 +++--
 src/bookmarks/ephy-bookmark-properties.c |    3 ++-
 src/bookmarks/ephy-bookmarks-editor.c    |    3 ++-
 src/ephy-completion-model.c              |    3 ++-
 src/ephy-history-window.c                |    3 ++-
 8 files changed, 37 insertions(+), 12 deletions(-)
---
diff --git a/embed/ephy-web-view.c b/embed/ephy-web-view.c
index 9f59425..838768f 100644
--- a/embed/ephy-web-view.c
+++ b/embed/ephy-web-view.c
@@ -42,6 +42,7 @@
 #include "ephy-settings.h"
 #include "ephy-snapshot-service.h"
 #include "ephy-string.h"
+#include "ephy-uri-helpers.h"
 #include "ephy-web-app-utils.h"
 #include "ephy-web-dom-utils.h"
 #include "ephy-web-extension-proxy.h"
@@ -857,7 +858,7 @@ ephy_web_view_set_address (EphyWebView *view,
   priv->address = g_strdup (address);
 
   g_free (priv->display_address);
-  priv->display_address = g_uri_unescape_string (priv->address, NULL);
+  priv->display_address = ephy_uri_safe_unescape (priv->address);
 
   is_blank = address == NULL ||
              strcmp (address, "about:blank") == 0;
@@ -1530,7 +1531,7 @@ ephy_web_view_set_loading_message (EphyWebView *view,
     char *decoded_address;
     char *title;
 
-    decoded_address = g_uri_unescape_string (address, NULL);
+    decoded_address = ephy_uri_safe_unescape (address);
     title = ephy_embed_utils_get_title_from_address (decoded_address);
 
     if (title != NULL && title[0] != '\0') {
@@ -2532,10 +2533,13 @@ ephy_web_view_set_link_message (EphyWebView *view,
 
   g_free (priv->link_message);
 
-  decoded_address = g_uri_unescape_string (address, NULL);
-  priv->link_message = ephy_embed_utils_link_message_parse (decoded_address);
-
-  g_free (decoded_address);
+  if (address) {
+    decoded_address = ephy_uri_safe_unescape (address);
+    priv->link_message = ephy_embed_utils_link_message_parse (decoded_address);
+    g_free (decoded_address);
+  } else {
+    priv->link_message = NULL;
+  }
 
   g_object_notify (G_OBJECT (view), "status-message");
   g_object_notify (G_OBJECT (view), "link-message");
diff --git a/lib/ephy-uri-helpers.c b/lib/ephy-uri-helpers.c
index f18d324..d4d8335 100644
--- a/lib/ephy-uri-helpers.c
+++ b/lib/ephy-uri-helpers.c
@@ -248,4 +248,19 @@ bail:
   soup_uri_free (uri);
   return ret;
 }
+
+char *
+ephy_uri_safe_unescape (const char *uri_string)
+{
+  char *decoded_uri;
+
+  /* This function is not null-safe since it is mostly used in scenarios where
+   * passing or returning null would typically lead to a security issue. */
+  g_return_val_if_fail (uri_string, g_strdup (""));
+
+  /* Protect against escaped null characters and escaped slashes. */
+  decoded_uri = g_uri_unescape_string (uri_string, "/");
+  return decoded_uri ? decoded_uri : g_strdup (uri_string);
+}
+
 /* vim: set sw=2 ts=2 sts=2 et: */
diff --git a/lib/ephy-uri-helpers.h b/lib/ephy-uri-helpers.h
index 0d7f4b6..60a165e 100644
--- a/lib/ephy-uri-helpers.h
+++ b/lib/ephy-uri-helpers.h
@@ -30,6 +30,7 @@
 G_BEGIN_DECLS
 
 char *ephy_remove_tracking_from_uri (const char *uri);
+char *ephy_uri_safe_unescape (const char *uri);
 
 G_END_DECLS
 
diff --git a/lib/widgets/ephy-download-widget.c b/lib/widgets/ephy-download-widget.c
index c419891..445a252 100644
--- a/lib/widgets/ephy-download-widget.c
+++ b/lib/widgets/ephy-download-widget.c
@@ -28,6 +28,7 @@
 #include "ephy-debug.h"
 #include "ephy-embed-shell.h"
 #include "ephy-download.h"
+#include "ephy-uri-helpers.h"
 
 #include <glib/gi18n.h>
 #include <webkit2/webkit2.h>
@@ -91,7 +92,7 @@ get_destination_basename_from_download (EphyDownload *ephy_download)
     return NULL;
 
   basename = g_filename_display_basename (dest);
-  unescaped = g_uri_unescape_string (basename, NULL);
+  unescaped = ephy_uri_safe_unescape (basename);
   g_free (basename);
 
   return unescaped;
@@ -361,7 +362,7 @@ add_popup_menu (EphyDownloadWidget *widget)
     return;
 
   basename = g_filename_display_basename (dest);
-  name = g_uri_unescape_string (basename, NULL);
+  name = ephy_uri_safe_unescape (basename);
 
   menu = gtk_menu_new ();
   gtk_widget_set_halign (menu, GTK_ALIGN_END);
diff --git a/src/bookmarks/ephy-bookmark-properties.c b/src/bookmarks/ephy-bookmark-properties.c
index d0d1758..4ad42e8 100644
--- a/src/bookmarks/ephy-bookmark-properties.c
+++ b/src/bookmarks/ephy-bookmark-properties.c
@@ -34,6 +34,7 @@
 #include "ephy-dnd.h"
 #include "ephy-prefs.h"
 #include "ephy-settings.h"
+#include "ephy-uri-helpers.h"
 
 #include <glib/gi18n.h>
 #include <gtk/gtk.h>
@@ -372,7 +373,7 @@ ephy_bookmark_properties_constructor (GType type,
        gtk_editable_set_editable (GTK_EDITABLE (entry), !lockdown);
        tmp = ephy_node_get_property_string (properties->priv->bookmark,
                                             EPHY_NODE_BMK_PROP_LOCATION);
-       unescaped_url = g_uri_unescape_string (tmp, NULL);
+       unescaped_url = ephy_uri_safe_unescape (tmp);
        gtk_entry_set_text (GTK_ENTRY (entry), unescaped_url);
        g_signal_connect (entry, "changed",
                          G_CALLBACK (location_entry_changed_cb), properties);
diff --git a/src/bookmarks/ephy-bookmarks-editor.c b/src/bookmarks/ephy-bookmarks-editor.c
index 689fac4..f7fea73 100644
--- a/src/bookmarks/ephy-bookmarks-editor.c
+++ b/src/bookmarks/ephy-bookmarks-editor.c
@@ -37,6 +37,7 @@
 #include "ephy-settings.h"
 #include "ephy-shell.h"
 #include "ephy-initial-state.h"
+#include "ephy-uri-helpers.h"
 #include "ephy-topic-action.h"
 #include "ephy-window.h"
 #include "popup-commands.h"
@@ -1484,7 +1485,7 @@ unescape_bookmark_uri (EphyNode *node,
                       gpointer user_data)
 {
        const char *url = g_value_get_string (value);
-       g_value_take_string (value, g_uri_unescape_string (url, NULL));
+       g_value_take_string (value, ephy_uri_safe_unescape (url));
 }
 
 
diff --git a/src/ephy-completion-model.c b/src/ephy-completion-model.c
index 60120da..c74d566 100644
--- a/src/ephy-completion-model.c
+++ b/src/ephy-completion-model.c
@@ -26,6 +26,7 @@
 #include "ephy-favicon-helpers.h"
 #include "ephy-history-service.h"
 #include "ephy-shell.h"
+#include "ephy-uri-helpers.h"
 
 #include <string.h>
 
@@ -247,7 +248,7 @@ get_row_text (const gchar *url, const gchar *title, const gchar *subtitle_color)
   if (!url)
     return g_markup_escape_text (title, -1);
 
-  unescaped_url = g_uri_unescape_string (url, NULL);
+  unescaped_url = ephy_uri_safe_unescape (url);
   if (g_strcmp0 (url, title) == 0)
     text = g_markup_escape_text (unescaped_url, -1);
   else
diff --git a/src/ephy-history-window.c b/src/ephy-history-window.c
index 55f4f69..8521e26 100644
--- a/src/ephy-history-window.c
+++ b/src/ephy-history-window.c
@@ -29,6 +29,7 @@
 #include "ephy-prefs.h"
 #include "ephy-settings.h"
 #include "ephy-shell.h"
+#include "ephy-uri-helpers.h"
 #include "ephy-time-helpers.h"
 #include "ephy-window.h"
 
@@ -781,7 +782,7 @@ convert_location_data_func (GtkTreeViewColumn *column,
                            col_id,
                            &url,
                            -1);
-       unescaped_url = g_uri_unescape_string (url, NULL);
+       unescaped_url = ephy_uri_safe_unescape (url);
 
        g_object_set (renderer, "text", unescaped_url, NULL);
[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]