poky/meta/recipes-gnome/epiphany/files/CVE-2023-26081.patch

From 53363c3c8178bf9193dad9fa3516f4e10cff0ffd Mon Sep 17 00:00:00 2001
From: Michael Catanzaro <mcatanzaro@redhat.com>
Date: Fri, 3 Feb 2023 13:07:15 -0600
Subject: [PATCH] Don't autofill passwords in sandboxed contexts

If using the sandbox CSP or iframe tag, the web content is supposed to
be not trusted by the main resource origin. Therefore, we'd better
disable the password manager entirely so the untrusted web content
cannot exfiltrate passwords.

https://github.com/google/security-research/security/advisories/GHSA-mhhf-w9xw-pp9x

Part-of: <https://gitlab.gnome.org/GNOME/epiphany/-/merge_requests/1275>

Upstream-Status: Backport
[https://gitlab.gnome.org/GNOME/epiphany/-/commit/53363c3c8178bf9193dad9fa3516f4e10cff0ffd]
CVE: CVE-2023-26081
Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
---
 .../resources/js/ephy.js                      | 26 +++++++++++++++++++
 1 file changed, 26 insertions(+)

diff --git a/embed/web-process-extension/resources/js/ephy.js b/embed/web-process-extension/resources/js/ephy.js
index 38b806f..44d1792 100644
--- a/embed/web-process-extension/resources/js/ephy.js
+++ b/embed/web-process-extension/resources/js/ephy.js
@@ -352,6 +352,12 @@ Ephy.hasModifiedForms = function()
     }
 };
 
+Ephy.isSandboxedWebContent = function()
+{
+    // https://github.com/google/security-research/security/advisories/GHSA-mhhf-w9xw-pp9x
+    return self.origin === null || self.origin === 'null';
+};
+
 Ephy.PasswordManager = class PasswordManager
 {
     constructor(pageID, frameID)
@@ -385,6 +391,11 @@ Ephy.PasswordManager = class PasswordManager
 
     query(origin, targetOrigin, username, usernameField, passwordField)
     {
+        if (Ephy.isSandboxedWebContent()) {
+            Ephy.log(`Not querying passwords for origin=${origin} because web content is sandboxed`);
+            return Promise.resolve(null);
+        }
+
         Ephy.log(`Querying passwords for origin=${origin}, targetOrigin=${targetOrigin}, username=${username}, usernameField=${usernameField}, passwordField=${passwordField}`);
 
         return new Promise((resolver, reject) => {
@@ -396,6 +407,11 @@ Ephy.PasswordManager = class PasswordManager
 
     save(origin, targetOrigin, username, password, usernameField, passwordField, isNew)
     {
+        if (Ephy.isSandboxedWebContent()) {
+            Ephy.log(`Not saving password for origin=${origin} because web content is sandboxed`);
+            return;
+        }
+
         Ephy.log(`Saving password for origin=${origin}, targetOrigin=${targetOrigin}, username=${username}, usernameField=${usernameField}, passwordField=${passwordField}, isNew=${isNew}`);
 
         window.webkit.messageHandlers.passwordManagerSave.postMessage({
@@ -407,6 +423,11 @@ Ephy.PasswordManager = class PasswordManager
     // FIXME: Why is pageID a parameter here?
     requestSave(origin, targetOrigin, username, password, usernameField, passwordField, isNew, pageID)
     {
+        if (Ephy.isSandboxedWebContent()) {
+            Ephy.log(`Not requesting to save password for origin=${origin} because web content is sandboxed`);
+            return;
+        }
+
         Ephy.log(`Requesting to save password for origin=${origin}, targetOrigin=${targetOrigin}, username=${username}, usernameField=${usernameField}, passwordField=${passwordField}, isNew=${isNew}`);
 
         window.webkit.messageHandlers.passwordManagerRequestSave.postMessage({
@@ -426,6 +447,11 @@ Ephy.PasswordManager = class PasswordManager
 
     queryUsernames(origin)
     {
+        if (Ephy.isSandboxedWebContent()) {
+            Ephy.log(`Not querying usernames for origin=${origin} because web content is sandboxed`);
+            return Promise.resolve(null);
+        }
+
         Ephy.log(`Requesting usernames for origin=${origin}`);
 
         return new Promise((resolver, reject) => {
-- 
2.35.5