From a649f83ff0c74f5a210d3f56ae9cd442748529b3 Mon Sep 17 00:00:00 2001
From: liweiganga <liweiganga@uniontech.com>
Date: Thu, 23 Feb 2023 14:36:35 +0800
Subject: [PATCH] fix CVE-2023-26081

---
 CVE-2023-26081.patch | 85 ++++++++++++++++++++++++++++++++++++++++++++
 epiphany.spec        |  6 +++-
 2 files changed, 90 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2023-26081.patch

diff --git a/CVE-2023-26081.patch b/CVE-2023-26081.patch
new file mode 100644
index 0000000..3236e17
--- /dev/null
+++ b/CVE-2023-26081.patch
@@ -0,0 +1,85 @@
+From 53363c3c8178bf9193dad9fa3516f4e10cff0ffd Mon Sep 17 00:00:00 2001
+From: Michael Catanzaro <mcatanzaro@redhat.com>
+Date: Fri, 3 Feb 2023 13:07:15 -0600
+Subject: [PATCH] Don't autofill passwords in sandboxed contexts
+
+If using the sandbox CSP or iframe tag, the web content is supposed to
+be not trusted by the main resource origin. Therefore, we'd better
+disable the password manager entirely so the untrusted web content
+cannot exfiltrate passwords.
+
+https://github.com/google/security-research/security/advisories/GHSA-mhhf-w9xw-pp9x
+
+Part-of: <https://gitlab.gnome.org/GNOME/epiphany/-/merge_requests/1275>
+---
+ .../resources/js/ephy.js                      | 26 +++++++++++++++++++
+ 1 file changed, 26 insertions(+)
+
+diff --git a/embed/web-process-extension/resources/js/ephy.js b/embed/web-process-extension/resources/js/ephy.js
+index 6fccd3d94..d1c42adbc 100644
+--- a/embed/web-process-extension/resources/js/ephy.js
++++ b/embed/web-process-extension/resources/js/ephy.js
+@@ -354,6 +354,12 @@ Ephy.hasModifiedForms = function()
+     }
+ };
+ 
++Ephy.isSandboxedWebContent = function()
++{
++    // https://github.com/google/security-research/security/advisories/GHSA-mhhf-w9xw-pp9x
++    return self.origin === null || self.origin === 'null';
++};
++
+ Ephy.PasswordManager = class PasswordManager
+ {
+     constructor(pageID, frameID)
+@@ -387,6 +393,11 @@ Ephy.PasswordManager = class PasswordManager
+ 
+     query(origin, targetOrigin, username, usernameField, passwordField)
+     {
++        if (Ephy.isSandboxedWebContent()) {
++            Ephy.log(`Not querying passwords for origin=${origin} because web content is sandboxed`);
++            return Promise.resolve(null);
++        }
++
+         Ephy.log(`Querying passwords for origin=${origin}, targetOrigin=${targetOrigin}, username=${username}, usernameField=${usernameField}, passwordField=${passwordField}`);
+ 
+         return new Promise((resolver, reject) => {
+@@ -398,6 +409,11 @@ Ephy.PasswordManager = class PasswordManager
+ 
+     save(origin, targetOrigin, username, password, usernameField, passwordField, isNew)
+     {
++        if (Ephy.isSandboxedWebContent()) {
++            Ephy.log(`Not saving password for origin=${origin} because web content is sandboxed`);
++            return;
++        }
++
+         Ephy.log(`Saving password for origin=${origin}, targetOrigin=${targetOrigin}, username=${username}, usernameField=${usernameField}, passwordField=${passwordField}, isNew=${isNew}`);
+ 
+         window.webkit.messageHandlers.passwordManagerSave.postMessage({
+@@ -409,6 +425,11 @@ Ephy.PasswordManager = class PasswordManager
+     // FIXME: Why is pageID a parameter here?
+     requestSave(origin, targetOrigin, username, password, usernameField, passwordField, isNew, pageID)
+     {
++        if (Ephy.isSandboxedWebContent()) {
++            Ephy.log(`Not requesting to save password for origin=${origin} because web content is sandboxed`);
++            return;
++        }
++
+         Ephy.log(`Requesting to save password for origin=${origin}, targetOrigin=${targetOrigin}, username=${username}, usernameField=${usernameField}, passwordField=${passwordField}, isNew=${isNew}`);
+ 
+         window.webkit.messageHandlers.passwordManagerRequestSave.postMessage({
+@@ -428,6 +449,11 @@ Ephy.PasswordManager = class PasswordManager
+ 
+     queryUsernames(origin)
+     {
++        if (Ephy.isSandboxedWebContent()) {
++            Ephy.log(`Not querying usernames for origin=${origin} because web content is sandboxed`);
++            return Promise.resolve(null);
++        }
++
+         Ephy.log(`Requesting usernames for origin=${origin}`);
+ 
+         return new Promise((resolver, reject) => {
+-- 
+GitLab
+
diff --git a/epiphany.spec b/epiphany.spec
index 1fb6090..59c4bb0 100644
--- a/epiphany.spec
+++ b/epiphany.spec
@@ -5,12 +5,13 @@
 Name:                epiphany
 Epoch:               1
 Version:             43.0
-Release:             1
+Release:             2
 Summary:             Web browser for GNOME
 License:             GPLv3+
 URL:                 https://wiki.gnome.org/Apps/Web
 Source0:             https://download.gnome.org/sources/epiphany/43/%{name}-%{version}.tar.xz
 Patch0:              epiphany-default-bookmarks-openeuler.patch
+Patch1:              CVE-2023-26081.patch
 
 BuildRequires:       desktop-file-utils gcc gettext-devel iso-codes-devel itstool
 BuildRequires:       libappstream-glib-devel meson pkgconfig(cairo) pkgconfig(evince-document-3.0)
@@ -105,6 +106,9 @@ desktop-file-validate $RPM_BUILD_ROOT%{_datadir}/applications/*.desktop
 #%config(noreplace)%{_sysconfdir}/ld.so.conf.d/%{name}-%{_arch}.conf
 
 %changelog
+* Thu Feb 23 2023 liweiganga <liweiganga@uniontech.com> - 1:43.0-2
+- fix CVE-2023-26081
+
 * Mon Jan 2 2023 lin zhang <lin.zhang@turbolinux.com.cn> - 1:43.0-1
 - Update to 43.0
 
-- 
Gitee