[epiphany/mcatanzaro/#532: 3/3] web-view: mitigate a clever URI spoofing attack

From: Michael Catanzaro <mcatanzaro src gnome org>
To: commits-list gnome org
Cc:
Subject: [epiphany/mcatanzaro/#532: 3/3] web-view: mitigate a clever URI spoofing attack
Date: Mon, 14 Jan 2019 00:57:19 +0000 (UTC)

commit 86ddd3e842f87d50a5023ae8302fa545fc95e037
Author: Michael Catanzaro <mcatanzaro igalia com>
Date:   Sun Jan 13 18:38:32 2019 -0600

    web-view: mitigate a clever URI spoofing attack
    
    Refer to the issue report for details.
    
    Fixes #532

 embed/ephy-web-view.c | 27 ++++++++++++++++++++++++---
 1 file changed, 24 insertions(+), 3 deletions(-)
---
diff --git a/embed/ephy-web-view.c b/embed/ephy-web-view.c
index 5b3b10f00..db25ffa42 100644
--- a/embed/ephy-web-view.c
+++ b/embed/ephy-web-view.c
@@ -1125,8 +1125,27 @@ uri_changed_cb (WebKitWebView *web_view,
                 GParamSpec    *spec,
                 gpointer       data)
 {
-  ephy_web_view_set_address (EPHY_WEB_VIEW (web_view),
-                             webkit_web_view_get_uri (web_view));
+  /* When the user has triggered a page load, we want to update the
+   * address as it changes (e.g. due to redirection) so that the browser
+   * feels more "responsive." But we must not do this when a load is
+   * triggered by JavaScript, to avoid CVE-2018-8383. This check is
+   * safe because the visit type is reset in load_changed_cb() when the
+   * load is finished.
+   */
+  switch (EPHY_WEB_VIEW (web_view)->visit_type) {
+  case EPHY_PAGE_VISIT_NONE:
+    break;
+  case EPHY_PAGE_VISIT_LINK:
+    /* fallthrough */
+  case EPHY_PAGE_VISIT_TYPED:
+    /* fallthrough */
+  case EPHY_PAGE_VISIT_BOOKMARK:
+    /* fallthrough */
+  case EPHY_PAGE_VISIT_HOMEPAGE:
+    ephy_web_view_set_address (EPHY_WEB_VIEW (web_view),
+                               webkit_web_view_get_uri (web_view));
+    break;
+  }
 }
 
 static void
@@ -1980,7 +1999,9 @@ load_changed_cb (WebKitWebView  *web_view,
       /* Ensure we load the icon for this web view, if available. */
       _ephy_web_view_update_icon (view);
 
-      /* Reset visit type. */
+      /* Reset visit type. Careful if changing this: it's security-
+       * sensitive. See the comment in uri_changed_cb() for details.
+       */
       view->visit_type = EPHY_PAGE_VISIT_NONE;
 
       if (!ephy_web_view_is_history_frozen (view) &&

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]