Sabri Ünal · Charles Monzat · Michael Catanzaro · Michael Catanzaro · Michael Catanzaro · Baurzhan Muftakhidinov
--- a/NEWS
+++ b/NEWS
+43.1 - February 20, 2023
+========================
+
+ * Hide bookmark star in application mode (#1811)
+ * Fix type error when displaying about:overview empty state (#1914)
+ * Fix thumbnails when loading about:overview from session state (#1917)
+ * Properly %-encode URLs copied from address bar (#1930)
+ * Fix minor memory leaks (!1193)
+ * Fix double free when file monitor for user JavaScript fails (!1258)
+ * Don't autofill passwords in sandboxed contexts (CVE-2023-26081, !1275)
+ * Updated translations
+
 43.0 - September 15, 2022
 =========================


--- a/data/org.gnome.Epiphany.appdata.xml.in.in
+++ b/data/org.gnome.Epiphany.appdata.xml.in.in
@@ -55,6 +55,7 @@
    <display_length compare="ge">360</display_length>
  </requires>
  <releases>
+    <release date="2023-02-20" version="43.1"/>
    <release date="2022-09-15" version="43.0"/>
    <release date="2022-09-01" version="43~rc"/>
    <release date="2022-08-05" version="43~beta"/>

--- a/embed/ephy-embed-prefs.c
+++ b/embed/ephy-embed-prefs.c
@@ -255,12 +255,10 @@ webkit_pref_callback_user_javascript (GSettings  *settings,
                     (GAsyncReadyCallback)user_javascript_read_cb, NULL);

  user_javascript_monitor = g_file_monitor_file (file, G_FILE_MONITOR_NONE, NULL, &error);
-  if (!user_javascript_monitor) {
+  if (!user_javascript_monitor)
    g_warning ("Could not create a file monitor for %s: %s\n", g_file_get_uri (file), error->message);
-    g_error_free (error);
-  } else {
+  else
    g_signal_connect (user_javascript_monitor, "changed", G_CALLBACK (user_javascript_file_changed), NULL);
-  }
 }

 static void

--- a/embed/ephy-find-toolbar.c
+++ b/embed/ephy-find-toolbar.c
@@ -412,20 +412,13 @@ ephy_find_toolbar_dispose (GObject *object)
 {
  EphyFindToolbar *toolbar = EPHY_FIND_TOOLBAR (object);

-  if (toolbar->find_again_source_id != 0) {
-    g_source_remove (toolbar->find_again_source_id);
-    toolbar->find_again_source_id = 0;
-  }
+  g_clear_handle_id (&toolbar->find_again_source_id, g_source_remove);
+  g_clear_handle_id (&toolbar->find_source_id, g_source_remove);

-  if (toolbar->find_source_id != 0) {
-    g_source_remove (toolbar->find_source_id);
-    toolbar->find_source_id = 0;
-  }
+  g_cancellable_cancel (toolbar->cancellable);
+  g_clear_object (&toolbar->cancellable);

-  if (toolbar->cancellable) {
-    g_cancellable_cancel (toolbar->cancellable);
-    g_clear_object (&toolbar->cancellable);
-  }
+  g_clear_object (&toolbar->entry_tag);

  G_OBJECT_CLASS (ephy_find_toolbar_parent_class)->dispose (object);
 }

--- a/embed/web-process-extension/resources/js/ephy.js
+++ b/embed/web-process-extension/resources/js/ephy.js
@@ -354,6 +354,12 @@ Ephy.hasModifiedForms = function()
    }
 };

+Ephy.isSandboxedWebContent = function()
+{
+    // https://github.com/google/security-research/security/advisories/GHSA-mhhf-w9xw-pp9x
+    return self.origin === null || self.origin === 'null';
+};
+
 Ephy.PasswordManager = class PasswordManager
 {
    constructor(pageID, frameID)
@@ -387,6 +393,11 @@ Ephy.PasswordManager = class PasswordManager

    query(origin, targetOrigin, username, usernameField, passwordField)
    {
+        if (Ephy.isSandboxedWebContent()) {
+            Ephy.log(`Not querying passwords for origin=${origin} because web content is sandboxed`);
+            return Promise.resolve(null);
+        }
+
        Ephy.log(`Querying passwords for origin=${origin}, targetOrigin=${targetOrigin}, username=${username}, usernameField=${usernameField}, passwordField=${passwordField}`);

        return new Promise((resolver, reject) => {
@@ -398,6 +409,11 @@ Ephy.PasswordManager = class PasswordManager

    save(origin, targetOrigin, username, password, usernameField, passwordField, isNew)
    {
+        if (Ephy.isSandboxedWebContent()) {
+            Ephy.log(`Not saving password for origin=${origin} because web content is sandboxed`);
+            return;
+        }
+
        Ephy.log(`Saving password for origin=${origin}, targetOrigin=${targetOrigin}, username=${username}, usernameField=${usernameField}, passwordField=${passwordField}, isNew=${isNew}`);

        window.webkit.messageHandlers.passwordManagerSave.postMessage({
@@ -409,6 +425,11 @@ Ephy.PasswordManager = class PasswordManager
    // FIXME: Why is pageID a parameter here?
    requestSave(origin, targetOrigin, username, password, usernameField, passwordField, isNew, pageID)
    {
+        if (Ephy.isSandboxedWebContent()) {
+            Ephy.log(`Not requesting to save password for origin=${origin} because web content is sandboxed`);
+            return;
+        }
+
        Ephy.log(`Requesting to save password for origin=${origin}, targetOrigin=${targetOrigin}, username=${username}, usernameField=${usernameField}, passwordField=${passwordField}, isNew=${isNew}`);

        window.webkit.messageHandlers.passwordManagerRequestSave.postMessage({
@@ -428,6 +449,11 @@ Ephy.PasswordManager = class PasswordManager

    queryUsernames(origin)
    {
+        if (Ephy.isSandboxedWebContent()) {
+            Ephy.log(`Not querying usernames for origin=${origin} because web content is sandboxed`);
+            return Promise.resolve(null);
+        }
+
        Ephy.log(`Requesting usernames for origin=${origin}`);

        return new Promise((resolver, reject) => {

--- a/embed/web-process-extension/resources/js/overview.js
+++ b/embed/web-process-extension/resources/js/overview.js
@@ -29,6 +29,9 @@ Ephy.Overview = class Overview
    _initialize()
    {
        const anchors = document.getElementsByTagName('a');
+        if (anchors.length === 0)
+            return;
+
        for (let i = 0; i < anchors.length; i++) {
            const anchor = anchors[i];
            if (anchor.className !== 'overview-item')
@@ -253,11 +256,7 @@ Ephy.Overview.Item = class OverviewItem

    thumbnailPath()
    {
-        const style = this._thumbnail.style;
-        if (style.isPropertyImplicit('background'))
-            return null;
-
-        const background = style.getPropertyValue('background');
+        const background = this._thumbnail.style.getPropertyValue('background');
        if (!background)
            return null;


--- a/help/de/de.po
+++ b/help/de/de.po
--- a/help/fr/fr.po
+++ b/help/fr/fr.po
@@ -10,8 +10,8 @@
 msgid ""
 msgstr ""
 "Project-Id-Version: epiphany master\n"
-"POT-Creation-Date: 2022-02-17 17:11+0000\n"
-"PO-Revision-Date: 2022-04-06 19:12+0200\n"
+"POT-Creation-Date: 2022-04-08 09:45+0000\n"
+"PO-Revision-Date: 2022-04-10 21:59+0200\n"
 "Last-Translator: Charles Monzat <charles.monzat@free.fr>\n"
 "Language-Team: GNOME French Team <gnomefr@traduc.org>\n"
 "Language: fr\n"
@@ -172,8 +172,8 @@ msgstr ""
 #: C/legal.xml:5
 msgid "Creative Commons Attribution-ShareAlike 3.0 Unported License"
 msgstr ""
-"Creative Commons Paternité-Partage des Conditions Initiales à l’Identique "
-"3.0 non transposé"
+"Creative Commons Attribution - Partage dans les Mêmes Conditions 3.0 non "
+"transposé"

 #. (itstool) path: license/p
 #: C/legal.xml:4

--- a/lib/ephy-search-engine-manager.c
+++ b/lib/ephy-search-engine-manager.c
@@ -123,6 +123,7 @@ load_search_engines_from_settings (EphySearchEngineManager *manager)
      url = "";
    if (!g_variant_dict_lookup (&dict, "bang", "&s", &bang))
      bang = "";
+    g_variant_dict_clear (&dict);

    search_engine = g_object_new (EPHY_TYPE_SEARCH_ENGINE,
                                  "name", name,

--- a/lib/ephy-uri-helpers.c
+++ b/lib/ephy-uri-helpers.c
@@ -51,7 +51,7 @@ ephy_uri_normalize (const char *uri_string)
  if (!uri_string || !*uri_string)
    return NULL;

-  uri = g_uri_parse (uri_string, G_URI_FLAGS_SCHEME_NORMALIZE, NULL);
+  uri = g_uri_parse (uri_string, G_URI_FLAGS_ENCODED, NULL);
  if (!uri)
    return g_strdup (uri_string);


--- a/meson.build
+++ b/meson.build
 project('epiphany', 'c',
  license: 'GPL3+',
-  version: '43.0',
+  version: '43.1',
  meson_version: '>= 0.59.0',
  default_options: ['c_std=gnu11',
                    'warning_level=2']

--- a/po/LINGUAS
+++ b/po/LINGUAS
@@ -46,6 +46,7 @@ hr
 hu
 hy
 id
+ie
 ig
 is
 it

--- a/po/ab.po
+++ b/po/ab.po
--- a/po/en_GB.po
+++ b/po/en_GB.po
--- a/po/fr.po
+++ b/po/fr.po
--- a/po/fur.po
+++ b/po/fur.po
--- a/po/ie.po
+++ b/po/ie.po
--- a/po/it.po
+++ b/po/it.po
--- a/po/kk.po
+++ b/po/kk.po
--- a/po/nb.po
+++ b/po/nb.po