From da389b66130793ed4899a256b21048986007c6b3 Mon Sep 17 00:00:00 2001
From: Michael Catanzaro <mcatanzaro@redhat.com>
Date: Tue, 14 Dec 2021 16:46:07 -0600
Subject: pdf-handler: properly encode filename before inserting to HTML

The file's name is suggested by the server, and could be malicious. We
don't want it to be able to escape the HTML attribute context.

The file data should already be safe because it is base-64 encoded. Here
I'm just adjusting the code style to match what I've done for the
filename.

Part-of: <https://gitlab.gnome.org/GNOME/epiphany/-/merge_requests/1045>
---
 embed/ephy-pdf-handler.c | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/embed/ephy-pdf-handler.c b/embed/ephy-pdf-handler.c
index da10b7e02..bcc226c5f 100644
--- a/embed/ephy-pdf-handler.c
+++ b/embed/ephy-pdf-handler.c
@@ -23,6 +23,7 @@
 
 #include "ephy-embed-container.h"
 #include "ephy-embed-shell.h"
+#include "ephy-output-encoding.h"
 #include "ephy-web-view.h"
 
 #include <gio/gio.h>
@@ -124,8 +125,9 @@ pdf_file_loaded (GObject      *source,
   g_autoptr (GBytes) html_file = NULL;
   g_autoptr (GError) error = NULL;
   g_autoptr (GString) html = NULL;
-  g_autofree gchar *b64 = NULL;
   g_autofree char *file_data = NULL;
+  g_autofree char *encoded_file_data = NULL;
+  g_autofree char *encoded_filename = NULL;
   gsize len = 0;
 
   if (!g_file_load_contents_finish (G_FILE (source), res, &file_data, &len, NULL, &error)) {
@@ -134,13 +136,13 @@ pdf_file_loaded (GObject      *source,
     return;
   }
 
-  html_file = g_resources_lookup_data ("/org/gnome/epiphany/pdfjs/web/viewer.html", 0, NULL);
-
-  b64 = g_base64_encode ((const guchar *)file_data, len);
   g_file_delete_async (G_FILE (source), G_PRIORITY_DEFAULT, NULL, pdf_file_deleted, NULL);
 
-  html = g_string_new ("");
-  g_string_printf (html, g_bytes_get_data (html_file, NULL), b64, self->file_name ? self->file_name : "");
+  html = g_string_new (NULL);
+  html_file = g_resources_lookup_data ("/org/gnome/epiphany/pdfjs/web/viewer.html", 0, NULL);
+  encoded_file_data = g_base64_encode ((const guchar *)file_data, len);
+  encoded_filename = self->file_name ? ephy_encode_for_html_attribute (self->file_name) : g_strdup ("");
+  g_string_printf (html, g_bytes_get_data (html_file, NULL), encoded_file_data, encoded_filename);
 
   finish_uri_scheme_request (self, g_strdup (html->str), NULL);
 }
-- 
cgit v1.2.1