[epiphany] Don't crash on escaped null characters
- From: Michael Catanzaro <mcatanzaro src gnome org>
- To: commits-list gnome org
- Cc:
- Subject: [epiphany] Don't crash on escaped null characters
- Date: Mon, 21 Sep 2015 14:51:11 +0000 (UTC)
commit 5f0cac6c373b5f41bdb24b4762487bae93331c61
Author: Michael Catanzaro <mcatanzaro igalia com>
Date: Sat Sep 19 19:55:48 2015 -0500
Don't crash on escaped null characters
Disallow escaped slashes as well.
https://bugzilla.gnome.org/show_bug.cgi?id=755287
embed/ephy-web-view.c | 16 ++++++++++------
lib/ephy-uri-helpers.c | 15 +++++++++++++++
lib/ephy-uri-helpers.h | 1 +
lib/widgets/ephy-download-widget.c | 5 +++--
src/bookmarks/ephy-bookmark-properties.c | 3 ++-
src/bookmarks/ephy-bookmarks-editor.c | 3 ++-
src/ephy-completion-model.c | 3 ++-
src/ephy-history-window.c | 3 ++-
8 files changed, 37 insertions(+), 12 deletions(-)
---
diff --git a/embed/ephy-web-view.c b/embed/ephy-web-view.c
index 9f59425..838768f 100644
--- a/embed/ephy-web-view.c
+++ b/embed/ephy-web-view.c
@@ -42,6 +42,7 @@
#include "ephy-settings.h"
#include "ephy-snapshot-service.h"
#include "ephy-string.h"
+#include "ephy-uri-helpers.h"
#include "ephy-web-app-utils.h"
#include "ephy-web-dom-utils.h"
#include "ephy-web-extension-proxy.h"
@@ -857,7 +858,7 @@ ephy_web_view_set_address (EphyWebView *view,
priv->address = g_strdup (address);
g_free (priv->display_address);
- priv->display_address = g_uri_unescape_string (priv->address, NULL);
+ priv->display_address = ephy_uri_safe_unescape (priv->address);
is_blank = address == NULL ||
strcmp (address, "about:blank") == 0;
@@ -1530,7 +1531,7 @@ ephy_web_view_set_loading_message (EphyWebView *view,
char *decoded_address;
char *title;
- decoded_address = g_uri_unescape_string (address, NULL);
+ decoded_address = ephy_uri_safe_unescape (address);
title = ephy_embed_utils_get_title_from_address (decoded_address);
if (title != NULL && title[0] != '\0') {
@@ -2532,10 +2533,13 @@ ephy_web_view_set_link_message (EphyWebView *view,
g_free (priv->link_message);
- decoded_address = g_uri_unescape_string (address, NULL);
- priv->link_message = ephy_embed_utils_link_message_parse (decoded_address);
-
- g_free (decoded_address);
+ if (address) {
+ decoded_address = ephy_uri_safe_unescape (address);
+ priv->link_message = ephy_embed_utils_link_message_parse (decoded_address);
+ g_free (decoded_address);
+ } else {
+ priv->link_message = NULL;
+ }
g_object_notify (G_OBJECT (view), "status-message");
g_object_notify (G_OBJECT (view), "link-message");
diff --git a/lib/ephy-uri-helpers.c b/lib/ephy-uri-helpers.c
index f18d324..d4d8335 100644
--- a/lib/ephy-uri-helpers.c
+++ b/lib/ephy-uri-helpers.c
@@ -248,4 +248,19 @@ bail:
soup_uri_free (uri);
return ret;
}
+
+char *
+ephy_uri_safe_unescape (const char *uri_string)
+{
+ char *decoded_uri;
+
+ /* This function is not null-safe since it is mostly used in scenarios where
+ * passing or returning null would typically lead to a security issue. */
+ g_return_val_if_fail (uri_string, g_strdup (""));
+
+ /* Protect against escaped null characters and escaped slashes. */
+ decoded_uri = g_uri_unescape_string (uri_string, "/");
+ return decoded_uri ? decoded_uri : g_strdup (uri_string);
+}
+
/* vim: set sw=2 ts=2 sts=2 et: */
diff --git a/lib/ephy-uri-helpers.h b/lib/ephy-uri-helpers.h
index 0d7f4b6..60a165e 100644
--- a/lib/ephy-uri-helpers.h
+++ b/lib/ephy-uri-helpers.h
@@ -30,6 +30,7 @@
G_BEGIN_DECLS
char *ephy_remove_tracking_from_uri (const char *uri);
+char *ephy_uri_safe_unescape (const char *uri);
G_END_DECLS
diff --git a/lib/widgets/ephy-download-widget.c b/lib/widgets/ephy-download-widget.c
index c419891..445a252 100644
--- a/lib/widgets/ephy-download-widget.c
+++ b/lib/widgets/ephy-download-widget.c
@@ -28,6 +28,7 @@
#include "ephy-debug.h"
#include "ephy-embed-shell.h"
#include "ephy-download.h"
+#include "ephy-uri-helpers.h"
#include <glib/gi18n.h>
#include <webkit2/webkit2.h>
@@ -91,7 +92,7 @@ get_destination_basename_from_download (EphyDownload *ephy_download)
return NULL;
basename = g_filename_display_basename (dest);
- unescaped = g_uri_unescape_string (basename, NULL);
+ unescaped = ephy_uri_safe_unescape (basename);
g_free (basename);
return unescaped;
@@ -361,7 +362,7 @@ add_popup_menu (EphyDownloadWidget *widget)
return;
basename = g_filename_display_basename (dest);
- name = g_uri_unescape_string (basename, NULL);
+ name = ephy_uri_safe_unescape (basename);
menu = gtk_menu_new ();
gtk_widget_set_halign (menu, GTK_ALIGN_END);
diff --git a/src/bookmarks/ephy-bookmark-properties.c b/src/bookmarks/ephy-bookmark-properties.c
index d0d1758..4ad42e8 100644
--- a/src/bookmarks/ephy-bookmark-properties.c
+++ b/src/bookmarks/ephy-bookmark-properties.c
@@ -34,6 +34,7 @@
#include "ephy-dnd.h"
#include "ephy-prefs.h"
#include "ephy-settings.h"
+#include "ephy-uri-helpers.h"
#include <glib/gi18n.h>
#include <gtk/gtk.h>
@@ -372,7 +373,7 @@ ephy_bookmark_properties_constructor (GType type,
gtk_editable_set_editable (GTK_EDITABLE (entry), !lockdown);
tmp = ephy_node_get_property_string (properties->priv->bookmark,
EPHY_NODE_BMK_PROP_LOCATION);
- unescaped_url = g_uri_unescape_string (tmp, NULL);
+ unescaped_url = ephy_uri_safe_unescape (tmp);
gtk_entry_set_text (GTK_ENTRY (entry), unescaped_url);
g_signal_connect (entry, "changed",
G_CALLBACK (location_entry_changed_cb), properties);
diff --git a/src/bookmarks/ephy-bookmarks-editor.c b/src/bookmarks/ephy-bookmarks-editor.c
index 689fac4..f7fea73 100644
--- a/src/bookmarks/ephy-bookmarks-editor.c
+++ b/src/bookmarks/ephy-bookmarks-editor.c
@@ -37,6 +37,7 @@
#include "ephy-settings.h"
#include "ephy-shell.h"
#include "ephy-initial-state.h"
+#include "ephy-uri-helpers.h"
#include "ephy-topic-action.h"
#include "ephy-window.h"
#include "popup-commands.h"
@@ -1484,7 +1485,7 @@ unescape_bookmark_uri (EphyNode *node,
gpointer user_data)
{
const char *url = g_value_get_string (value);
- g_value_take_string (value, g_uri_unescape_string (url, NULL));
+ g_value_take_string (value, ephy_uri_safe_unescape (url));
}
diff --git a/src/ephy-completion-model.c b/src/ephy-completion-model.c
index 60120da..c74d566 100644
--- a/src/ephy-completion-model.c
+++ b/src/ephy-completion-model.c
@@ -26,6 +26,7 @@
#include "ephy-favicon-helpers.h"
#include "ephy-history-service.h"
#include "ephy-shell.h"
+#include "ephy-uri-helpers.h"
#include <string.h>
@@ -247,7 +248,7 @@ get_row_text (const gchar *url, const gchar *title, const gchar *subtitle_color)
if (!url)
return g_markup_escape_text (title, -1);
- unescaped_url = g_uri_unescape_string (url, NULL);
+ unescaped_url = ephy_uri_safe_unescape (url);
if (g_strcmp0 (url, title) == 0)
text = g_markup_escape_text (unescaped_url, -1);
else
diff --git a/src/ephy-history-window.c b/src/ephy-history-window.c
index 55f4f69..8521e26 100644
--- a/src/ephy-history-window.c
+++ b/src/ephy-history-window.c
@@ -29,6 +29,7 @@
#include "ephy-prefs.h"
#include "ephy-settings.h"
#include "ephy-shell.h"
+#include "ephy-uri-helpers.h"
#include "ephy-time-helpers.h"
#include "ephy-window.h"
@@ -781,7 +782,7 @@ convert_location_data_func (GtkTreeViewColumn *column,
col_id,
&url,
-1);
- unescaped_url = g_uri_unescape_string (url, NULL);
+ unescaped_url = ephy_uri_safe_unescape (url);
g_object_set (renderer, "text", unescaped_url, NULL);
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]