1 files changed, 90 insertions, 0 deletions
diff --git a/meta/recipes-gnome/epiphany/files/CVE-2023-26081.patch b/meta/recipes-gnome/epiphany/files/CVE-2023-26081.patch
new file mode 100644
index 0000000000..af1e20bd8f
--- /dev/null
+++ b/meta/recipes-gnome/epiphany/files/CVE-2023-26081.patch
@@ -0,0 +1,90 @@
+From 53363c3c8178bf9193dad9fa3516f4e10cff0ffd Mon Sep 17 00:00:00 2001
+From: Michael Catanzaro <mcatanzaro@redhat.com>
+Date: Fri, 3 Feb 2023 13:07:15 -0600
+Subject: [PATCH] Don't autofill passwords in sandboxed contexts
+If using the sandbox CSP or iframe tag, the web content is supposed to
+be not trusted by the main resource origin. Therefore, we'd better
+disable the password manager entirely so the untrusted web content
+cannot exfiltrate passwords.
+https://github.com/google/security-research/security/advisories/GHSA-mhhf-w9xw-pp9x
+Part-of: <https://gitlab.gnome.org/GNOME/epiphany/-/merge_requests/1275>
+Upstream-Status: Backport
+[https://gitlab.gnome.org/GNOME/epiphany/-/commit/53363c3c8178bf9193dad9fa3516f4e10cff0ffd]
+CVE: CVE-2023-26081
+Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
+---
+ .../resources/js/ephy.js                      | 26 +++++++++++++++++++
+ 1 file changed, 26 insertions(+)
+diff --git a/embed/web-process-extension/resources/js/ephy.js b/embed/web-process-extension/resources/js/ephy.js
+index 38b806f..44d1792 100644
+--- a/embed/web-process-extension/resources/js/ephy.js
+++ b/embed/web-process-extension/resources/js/ephy.js
+@@ -352,6 +352,12 @@ Ephy.hasModifiedForms = function()
+     }
+ };
+ 
+Ephy.isSandboxedWebContent = function()
+{
+    // https://github.com/google/security-research/security/advisories/GHSA-mhhf-w9xw-pp9x
+    return self.origin === null || self.origin === 'null';
+};
+
+ Ephy.PasswordManager = class PasswordManager
+ {
+     constructor(pageID, frameID)
+@@ -385,6 +391,11 @@ Ephy.PasswordManager = class PasswordManager
+ 
+     query(origin, targetOrigin, username, usernameField, passwordField)
+     {
+        if (Ephy.isSandboxedWebContent()) {
+            Ephy.log(`Not querying passwords for origin=${origin} because web content is sandboxed`);
+            return Promise.resolve(null);
+        }
+
+         Ephy.log(`Querying passwords for origin=${origin}, targetOrigin=${targetOrigin}, username=${username}, usernameField=${usernameField}, passwordField=${passwordField}`);
+ 
+         return new Promise((resolver, reject) => {
+@@ -396,6 +407,11 @@ Ephy.PasswordManager = class PasswordManager
+ 
+     save(origin, targetOrigin, username, password, usernameField, passwordField, isNew)
+     {
+        if (Ephy.isSandboxedWebContent()) {
+            Ephy.log(`Not saving password for origin=${origin} because web content is sandboxed`);
+            return;
+        }
+
+         Ephy.log(`Saving password for origin=${origin}, targetOrigin=${targetOrigin}, username=${username}, usernameField=${usernameField}, passwordField=${passwordField}, isNew=${isNew}`);
+ 
+         window.webkit.messageHandlers.passwordManagerSave.postMessage({
+@@ -407,6 +423,11 @@ Ephy.PasswordManager = class PasswordManager
+     // FIXME: Why is pageID a parameter here?
+     requestSave(origin, targetOrigin, username, password, usernameField, passwordField, isNew, pageID)
+     {
+        if (Ephy.isSandboxedWebContent()) {
+            Ephy.log(`Not requesting to save password for origin=${origin} because web content is sandboxed`);
+            return;
+        }
+
+         Ephy.log(`Requesting to save password for origin=${origin}, targetOrigin=${targetOrigin}, username=${username}, usernameField=${usernameField}, passwordField=${passwordField}, isNew=${isNew}`);
+ 
+         window.webkit.messageHandlers.passwordManagerRequestSave.postMessage({
+@@ -426,6 +447,11 @@ Ephy.PasswordManager = class PasswordManager
+ 
+     queryUsernames(origin)
+     {
+        if (Ephy.isSandboxedWebContent()) {
+            Ephy.log(`Not querying usernames for origin=${origin} because web content is sandboxed`);
+            return Promise.resolve(null);
+        }
+
+         Ephy.log(`Requesting usernames for origin=${origin}`);
+ 
+         return new Promise((resolver, reject) => {
+-- 
+2.35.5

diff --git a/meta/recipes-gnome/epiphany/files/CVE-2023-26081.patch b/meta/recipes-gnome/epiphany/files/CVE-2023-26081.patch new file mode 100644 index 0000000000..af1e20bd8f --- /dev/null +++ b/meta/recipes-gnome/epiphany/files/CVE-2023-26081.patch
@@ -0,0 +1,90 @@
	1	From 53363c3c8178bf9193dad9fa3516f4e10cff0ffd Mon Sep 17 00:00:00 2001
	2	From: Michael Catanzaro <mcatanzaro@redhat.com>
	3	Date: Fri, 3 Feb 2023 13:07:15 -0600
	4	Subject: [PATCH] Don't autofill passwords in sandboxed contexts
	5
	6	If using the sandbox CSP or iframe tag, the web content is supposed to
	7	be not trusted by the main resource origin. Therefore, we'd better
	8	disable the password manager entirely so the untrusted web content
	9	cannot exfiltrate passwords.
	10
	11	https://github.com/google/security-research/security/advisories/GHSA-mhhf-w9xw-pp9x
	12
	13	Part-of: <https://gitlab.gnome.org/GNOME/epiphany/-/merge_requests/1275>
	14
	15	Upstream-Status: Backport
	16	[https://gitlab.gnome.org/GNOME/epiphany/-/commit/53363c3c8178bf9193dad9fa3516f4e10cff0ffd]
	17	CVE: CVE-2023-26081
	18	Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
	19	---
	20	.../resources/js/ephy.js \| 26 +++++++++++++++++++
	21	1 file changed, 26 insertions(+)
	22
	23	diff --git a/embed/web-process-extension/resources/js/ephy.js b/embed/web-process-extension/resources/js/ephy.js
	24	index 38b806f..44d1792 100644
	25	--- a/embed/web-process-extension/resources/js/ephy.js
	26	+++ b/embed/web-process-extension/resources/js/ephy.js
	27	@@ -352,6 +352,12 @@ Ephy.hasModifiedForms = function()
	28	}
	29	};
	30
	31	+Ephy.isSandboxedWebContent = function()
	32	+{
	33	+ // https://github.com/google/security-research/security/advisories/GHSA-mhhf-w9xw-pp9x
	34	+ return self.origin === null \|\| self.origin === 'null';
	35	+};
	36	+
	37	Ephy.PasswordManager = class PasswordManager
	38	{
	39	constructor(pageID, frameID)
	40	@@ -385,6 +391,11 @@ Ephy.PasswordManager = class PasswordManager
	41
	42	query(origin, targetOrigin, username, usernameField, passwordField)
	43	{
	44	+ if (Ephy.isSandboxedWebContent()) {
	45	+ Ephy.log(`Not querying passwords for origin=${origin} because web content is sandboxed`);
	46	+ return Promise.resolve(null);
	47	+ }
	48	+
	49	Ephy.log(`Querying passwords for origin=${origin}, targetOrigin=${targetOrigin}, username=${username}, usernameField=${usernameField}, passwordField=${passwordField}`);
	50
	51	return new Promise((resolver, reject) => {
	52	@@ -396,6 +407,11 @@ Ephy.PasswordManager = class PasswordManager
	53
	54	save(origin, targetOrigin, username, password, usernameField, passwordField, isNew)
	55	{
	56	+ if (Ephy.isSandboxedWebContent()) {
	57	+ Ephy.log(`Not saving password for origin=${origin} because web content is sandboxed`);
	58	+ return;
	59	+ }
	60	+
	61	Ephy.log(`Saving password for origin=${origin}, targetOrigin=${targetOrigin}, username=${username}, usernameField=${usernameField}, passwordField=${passwordField}, isNew=${isNew}`);
	62
	63	window.webkit.messageHandlers.passwordManagerSave.postMessage({
	64	@@ -407,6 +423,11 @@ Ephy.PasswordManager = class PasswordManager
	65	// FIXME: Why is pageID a parameter here?
	66	requestSave(origin, targetOrigin, username, password, usernameField, passwordField, isNew, pageID)
	67	{
	68	+ if (Ephy.isSandboxedWebContent()) {
	69	+ Ephy.log(`Not requesting to save password for origin=${origin} because web content is sandboxed`);
	70	+ return;
	71	+ }
	72	+
	73	Ephy.log(`Requesting to save password for origin=${origin}, targetOrigin=${targetOrigin}, username=${username}, usernameField=${usernameField}, passwordField=${passwordField}, isNew=${isNew}`);
	74
	75	window.webkit.messageHandlers.passwordManagerRequestSave.postMessage({
	76	@@ -426,6 +447,11 @@ Ephy.PasswordManager = class PasswordManager
	77
	78	queryUsernames(origin)
	79	{
	80	+ if (Ephy.isSandboxedWebContent()) {
	81	+ Ephy.log(`Not querying usernames for origin=${origin} because web content is sandboxed`);
	82	+ return Promise.resolve(null);
	83	+ }
	84	+
	85	Ephy.log(`Requesting usernames for origin=${origin}`);
	86
	87	return new Promise((resolver, reject) => {
	88	--
	89	2.35.5
	90