[epiphany/mcatanzaro/password-fixes: 2/6] embed-shell: Sanitize password save requests from web process

[Michael Catanzaro <mcatanzaro src gnome org>]

commit 1eb68198cc01ca51739d60a83c7bc88445b713bc
Author: Michael Catanzaro <mcatanzaro igalia com>
Date:   Tue Nov 13 15:44:31 2018 -0600

    embed-shell: Sanitize password save requests from web process
    
    The web process is untrusted and can send us bogus data. Sanitize
    password save requests here. We'll drop the request if it's missing
    password or password_field. If it has only one of username or
    username_field, null out the other.

 embed/ephy-embed-shell.c | 25 +++++++++++++++++++------
 1 file changed, 19 insertions(+), 6 deletions(-)
---
diff --git a/embed/ephy-embed-shell.c b/embed/ephy-embed-shell.c
index 9708df3db..2b1ce4fdd 100644
--- a/embed/ephy-embed-shell.c
+++ b/embed/ephy-embed-shell.c
@@ -474,7 +474,6 @@ web_extension_password_manager_save_real (EphyEmbedShell *shell,
                                           gboolean        is_request)
 {
   EphyEmbedShellPrivate *priv = ephy_embed_shell_get_instance_private (shell);
-
   g_autofree char *origin = property_to_string_or_null (value, "origin");
   g_autofree char *target_origin = property_to_string_or_null (value, "targetOrigin");
   g_autofree char *username = property_to_string_or_null (value, "username");
@@ -484,12 +483,26 @@ web_extension_password_manager_save_real (EphyEmbedShell *shell,
   g_autoptr(JSCValue) is_new_prop = jsc_value_object_get_property (value, "isNew");
   gboolean is_new = jsc_value_to_boolean (is_new_prop);
   gint32 page_id = property_to_int32 (value, "pageID");
+  EphyWebView *view;
+
+  /* Both password and password field are required. */
+  if (password == NULL || password_field == NULL)
+    return;
 
-  // This also sanity checks that a page isn't saving websites for other origins
-  EphyWebView *view = ephy_embed_shell_get_view_for_page_id (shell,
-                                                             page_id,
-                                                             origin);
-  if (!view)
+  /* The username field is required if username is present. */
+  if (username != NULL && username_field == NULL)
+    g_clear_pointer (&username_field, g_free);
+
+  /* The username is required if username field is present. */
+  if (username == NULL && username_field != NULL)
+    g_clear_pointer (&username, g_free);
+
+  /* This also sanity checks that a page isn't saving websites for
+   * other origins. Remember the request comes from the untrusted web
+   * process and we have to make sure it's not being evil here.
+   */
+  view = ephy_embed_shell_get_view_for_page_id (shell, page_id, origin);
+  if (view == NULL)
     return;
 
   if (!is_request) {