From 127f376e32280815f09640d160e8309d87c6db19 Mon Sep 17 00:00:00 2001
From: liningjie <liningjie@xfusion.com>
Date: Fri, 29 Dec 2023 16:13:37 +0800
Subject: [PATCH] fix CVE-2022-46725

---
 backport-CVE-2022-46725.patch | 50 +++++++++++++++++++++++++++++++++++
 webkit2gtk3.spec              |  6 ++++-
 2 files changed, 55 insertions(+), 1 deletion(-)
 create mode 100644 backport-CVE-2022-46725.patch

diff --git a/backport-CVE-2022-46725.patch b/backport-CVE-2022-46725.patch
new file mode 100644
index 0000000..d98db8c
--- /dev/null
+++ b/backport-CVE-2022-46725.patch
@@ -0,0 +1,50 @@
+From 9dc5311efa905a132bc1ada6fe0956443051582d Mon Sep 17 00:00:00 2001
+From: Alex Christensen <achristensen@webkit.org>
+Date: Fri, 29 Dec 2023 15:51:06 +0800
+Subject: [PATCH] Punycode all IPA extensions code points in URLs
+ https://bugs.webkit.org/show_bug.cgi?id=247289 rdar://101429376
+
+Reviewed by Tim Horton.
+
+* Source/WTF/wtf/URLHelpers.cpp:
+(WTF::URLHelpers::isLookalikeCharacter):
+* Tools/TestWebKitAPI/Tests/WTF/cocoa/URLExtras.mm:
+(TestWebKitAPI::TEST):
+
+Canonical link: https://commits.webkit.org/256267@main
+ main (#5980)
+---
+ Source/WTF/wtf/URLHelpers.cpp | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/Source/WTF/wtf/URLHelpers.cpp b/Source/WTF/wtf/URLHelpers.cpp
+index 17865fa7..4ce6e8cd 100644
+--- a/Source/WTF/wtf/URLHelpers.cpp
++++ b/Source/WTF/wtf/URLHelpers.cpp
+@@ -152,9 +152,12 @@ static bool isLookalikeCharacter(const std::optional<UChar32>& previousCodePoint
+     // slashes into an ASCII solidus. But one of the two callers uses this
+     // on characters that have not been processed by ICU, so they are needed here.
+     
+-    if (!u_isprint(codePoint) || u_isUWhiteSpace(codePoint) || u_hasBinaryProperty(codePoint, UCHAR_DEFAULT_IGNORABLE_CODE_POINT))
++    if (!u_isprint(codePoint)
++        || u_isUWhiteSpace(codePoint)
++        || u_hasBinaryProperty(codePoint, UCHAR_DEFAULT_IGNORABLE_CODE_POINT)
++        || ublock_getCode(codePoint) == UBLOCK_IPA_EXTENSIONS)
+         return true;
+-    
++
+     switch (codePoint) {
+     case 0x00BC: /* VULGAR FRACTION ONE QUARTER */
+     case 0x00BD: /* VULGAR FRACTION ONE HALF */
+@@ -166,8 +169,6 @@ static bool isLookalikeCharacter(const std::optional<UChar32>& previousCodePoint
+     case 0x0237: /* LATIN SMALL LETTER DOTLESS J */
+     case 0x0251: /* LATIN SMALL LETTER ALPHA */
+     case 0x0261: /* LATIN SMALL LETTER SCRIPT G */
+-    case 0x0274: /* LATIN LETTER SMALL CAPITAL N */
+-    case 0x027E: /* LATIN SMALL LETTER R WITH FISHHOOK */
+     case 0x02D0: /* MODIFIER LETTER TRIANGULAR COLON */
+     case 0x0335: /* COMBINING SHORT STROKE OVERLAY */
+     case 0x0337: /* COMBINING SHORT SOLIDUS OVERLAY */
+-- 
+2.33.0
+
diff --git a/webkit2gtk3.spec b/webkit2gtk3.spec
index dc60c28..29cd402 100644
--- a/webkit2gtk3.spec
+++ b/webkit2gtk3.spec
@@ -9,7 +9,7 @@
 #Basic Information
 Name:           webkit2gtk3
 Version:        2.36.3
-Release:        4
+Release:        5
 Summary:        GTK+ Web content engine library
 License:        LGPLv2
 URL:            https://www.webkitgtk.org/
@@ -30,6 +30,7 @@ Patch0002:      webkitgtk-2.32.1-sw.patch
 Patch6000:      backport-CVE-2023-28204.patch
 Patch6001:      backport-CVE-2023-32373.patch
 Patch6002:      backport-CVE-2023-32409.patch
+Patch6003:      backport-CVE-2022-46725.patch
 
 #Dependency
 BuildRequires:  at-spi2-core-devel bison cairo-devel cmake enchant2-devel
@@ -219,6 +220,9 @@ done
 %endif
 
 %changelog
+* Fri Dec 29 2023 liningjie <liningjie@xfusion.com> - 2.36.3-5
+- fix CVE-2022-46725
+
 * Mon May 29 2023 zhangpan<zhangpan103@h-partners.com> - 2.36.3-4
 - fix CVE-2023-28204 CVE-2023-32373 CVE-2023-32409
 
-- 
Gitee