[epiphany/mcatanzaro/#532: 3/3] web-view: mitigate a clever URI spoofing attack
- From: Michael Catanzaro <mcatanzaro src gnome org>
- To: commits-list gnome org
- Cc:
- Subject: [epiphany/mcatanzaro/#532: 3/3] web-view: mitigate a clever URI spoofing attack
- Date: Mon, 14 Jan 2019 00:57:19 +0000 (UTC)
commit 86ddd3e842f87d50a5023ae8302fa545fc95e037
Author: Michael Catanzaro <mcatanzaro igalia com>
Date: Sun Jan 13 18:38:32 2019 -0600
web-view: mitigate a clever URI spoofing attack
Refer to the issue report for details.
Fixes #532
embed/ephy-web-view.c | 27 ++++++++++++++++++++++++---
1 file changed, 24 insertions(+), 3 deletions(-)
---
diff --git a/embed/ephy-web-view.c b/embed/ephy-web-view.c
index 5b3b10f00..db25ffa42 100644
--- a/embed/ephy-web-view.c
+++ b/embed/ephy-web-view.c
@@ -1125,8 +1125,27 @@ uri_changed_cb (WebKitWebView *web_view,
GParamSpec *spec,
gpointer data)
{
- ephy_web_view_set_address (EPHY_WEB_VIEW (web_view),
- webkit_web_view_get_uri (web_view));
+ /* When the user has triggered a page load, we want to update the
+ * address as it changes (e.g. due to redirection) so that the browser
+ * feels more "responsive." But we must not do this when a load is
+ * triggered by JavaScript, to avoid CVE-2018-8383. This check is
+ * safe because the visit type is reset in load_changed_cb() when the
+ * load is finished.
+ */
+ switch (EPHY_WEB_VIEW (web_view)->visit_type) {
+ case EPHY_PAGE_VISIT_NONE:
+ break;
+ case EPHY_PAGE_VISIT_LINK:
+ /* fallthrough */
+ case EPHY_PAGE_VISIT_TYPED:
+ /* fallthrough */
+ case EPHY_PAGE_VISIT_BOOKMARK:
+ /* fallthrough */
+ case EPHY_PAGE_VISIT_HOMEPAGE:
+ ephy_web_view_set_address (EPHY_WEB_VIEW (web_view),
+ webkit_web_view_get_uri (web_view));
+ break;
+ }
}
static void
@@ -1980,7 +1999,9 @@ load_changed_cb (WebKitWebView *web_view,
/* Ensure we load the icon for this web view, if available. */
_ephy_web_view_update_icon (view);
- /* Reset visit type. */
+ /* Reset visit type. Careful if changing this: it's security-
+ * sensitive. See the comment in uri_changed_cb() for details.
+ */
view->visit_type = EPHY_PAGE_VISIT_NONE;
if (!ephy_web_view_is_history_frozen (view) &&
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]