diff options
| author | Michael Catanzaro <mcatanzaro@redhat.com> | 2021-12-14 16:44:36 -0600 |
|---|---|---|
| committer | Michael Catanzaro <mcatanzaro@redhat.com> | 2021-12-15 14:41:00 -0600 |
| commit | 28c64ff39e675d2592b2f01918d95259495b92af (patch) | |
| tree | f43c45464454e78edb67451597af6799c47d54b3 | |
| parent | f7248e40188a8189a03715ce0bc0ca8772157e4d (diff) | |
| download | epiphany-28c64ff39e675d2592b2f01918d95259495b92af.tar.gz | |
about-handler: properly encode web app info in about:applications
The web app has some partial control over its title, and full control
over its URL. Let's be careful here to ensure the web app info cannot be
used to execute code.
Part-of: <https://gitlab.gnome.org/GNOME/epiphany/-/merge_requests/1045>
| -rw-r--r-- | embed/ephy-about-handler.c | 22 |
1 files changed, 20 insertions, 2 deletions
diff --git a/embed/ephy-about-handler.c b/embed/ephy-about-handler.c index af65ce408..b677989f2 100644 --- a/embed/ephy-about-handler.c +++ b/embed/ephy-about-handler.c @@ -264,19 +264,37 @@ handle_applications_finished_cb (EphyAboutHandler *handler, for (p = applications; p; p = p->next) { EphyWebApplication *app = (EphyWebApplication *)p->data; + g_autofree char *html_encoded_id = NULL; + g_autofree char *encoded_icon_url = NULL; + g_autofree char *encoded_name = NULL; + g_autofree char *encoded_url = NULL; + g_autofree char *js_encoded_id = NULL; + g_autofree char *encoded_install_date = NULL; if (ephy_web_application_is_system (app)) continue; + /* Most of these fields are untrusted. The web app suggests its own title, + * which gets used in the app ID and icon URL. The main URL could contain + * anything. Install date is the only trusted field here in that it's + * constructed by Epiphany, but it's a freeform string and we're encoding + * everything else here anyway, so might as well encode this too. + */ + html_encoded_id = ephy_encode_for_html_attribute (app->id); + encoded_icon_url = ephy_encode_for_html_attribute (app->icon_url); + encoded_name = ephy_encode_for_html_entity (app->name); + encoded_url = ephy_encode_for_html_entity (app->url); + js_encoded_id = ephy_encode_for_javascript (app->id); + encoded_install_date = ephy_encode_for_html_entity (app->install_date); g_string_append_printf (data_str, "<tbody><tr id =\"%s\">" "<td class=\"icon\"><img width=64 height=64 src=\"file://%s\"></img></td>" "<td class=\"data\"><div class=\"appname\">%s</div><div class=\"appurl\">%s</div></td>" "<td class=\"input\"><input type=\"button\" value=\"%s\" onclick=\"deleteWebApp('%s');\"></td>" "<td class=\"date\">%s <br /> %s</td></tr></tbody>", - app->id, app->icon_url, app->name, app->url, _("Delete"), app->id, + html_encoded_id, encoded_icon_url, encoded_name, encoded_url, _("Delete"), js_encoded_id, /* Note for translators: this refers to the installation date. */ - _("Installed on:"), app->install_date); + _("Installed on:"), encoded_install_date); } g_string_append (data_str, "</table></div></body></html>"); |