cordova-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ste...@apache.org
Subject svn commit: r1704444 - in /cordova/site: public/blog/index.html public/index.html public/news/2015/09/21/ public/news/2015/09/21/file-transfer-release.html public/rss.xml www/_posts/2015-09-21-file-transfer-release.md
Date Mon, 21 Sep 2015 23:56:37 GMT
Author: steven
Date: Mon Sep 21 23:56:37 2015
New Revision: 1704444

URL: http://svn.apache.org/viewvc?rev=1704444&view=rev
Log:
added file-transfer blog post

Added:
    cordova/site/public/news/2015/09/21/
    cordova/site/public/news/2015/09/21/file-transfer-release.html
    cordova/site/www/_posts/2015-09-21-file-transfer-release.md
Modified:
    cordova/site/public/blog/index.html
    cordova/site/public/index.html
    cordova/site/public/rss.xml

Modified: cordova/site/public/blog/index.html
URL: http://svn.apache.org/viewvc/cordova/site/public/blog/index.html?rev=1704444&r1=1704443&r2=1704444&view=diff
==============================================================================
--- cordova/site/public/blog/index.html (original)
+++ cordova/site/public/blog/index.html Mon Sep 21 23:56:37 2015
@@ -57,6 +57,11 @@
 <ul class="posts">
   
     <li>
+    <span>21 Sep 2015</span> &raquo;
+    <a href="//cordova.apache.org/news/2015/09/21/file-transfer-release.html">cordova--plugin-file-transfer
release: September 21, 2015</a>
+    </li>
+  
+    <li>
     <span>09 Sep 2015</span> &raquo;
     <a href="//cordova.apache.org/news/2015/09/09/tools-release.html">Tools Release:
September 9th, 2015</a>
     </li>

Modified: cordova/site/public/index.html
URL: http://svn.apache.org/viewvc/cordova/site/public/index.html?rev=1704444&r1=1704443&r2=1704444&view=diff
==============================================================================
--- cordova/site/public/index.html (original)
+++ cordova/site/public/index.html Mon Sep 21 23:56:37 2015
@@ -89,6 +89,23 @@
   <h2>News <a href="/rss.xml" style="font-size:12pt; margin-left:10px">Subscribe</a></h2>
   <ul class="posts">
     
+      <li><span>21 Sep 2015</span> &raquo; <a href="//cordova.apache.org/news/2015/09/21/file-transfer-release.html">cordova--plugin-file-transfer
release: September 21, 2015</a>
+      
+<p>A medium security issue was discovered for cordova-plugin-file-transfer plugin.
We are releasing version <code>1.3.0</code> of <code>cordova-plugin-file-transer</code>
to address this security issue. We recommend that all applications currently using an older
version of this plugin to upgrade as soon as possible.</p>
+<hr />
+<p>You can update the plugin by removing it, and then re-adding it.</p>
+
+<p>E.g. To update your file-transer plugin:</p>
+
+<pre><code>cordova plugin rm cordova-plugin-file-transfer --save
+cordova plugin add cordova-plugin-file-transfer --save</code></pre>
+
+<p>The security issue is CVE-2015-5204.</p>
+
+<p>For your convenience, the text of the CVE is included here:</p>
+
+      <div style="padding-bottom:2em"><a href="//cordova.apache.org/news/2015/09/21/file-transfer-release.html">Read
More</a></div>
+    
       <li><span>09 Sep 2015</span> &raquo; <a href="//cordova.apache.org/news/2015/09/09/tools-release.html">Tools
Release: September 9th, 2015</a>
       
 <p>New versions of cordova tools are now live!</p>
@@ -137,26 +154,6 @@
 
       <div style="padding-bottom:2em"><a href="//cordova.apache.org/news/2015/09/08/CPR-readonly.html">Read
More</a></div>
     
-      <li><span>05 Sep 2015</span> &raquo; <a href="//cordova.apache.org/announcements/2015/09/05/cordova-blackberry-3.8.0.html">Apache
Cordova BlackBerry 3.8.0</a>
-      
-<p>We are happy to announce that <code>Cordova BlackBerry 3.8.0</code>
has been released and will be the default BlackBerry version after next <code>cordova-cli</code>
release.</p>
-
-<p>This release adds support for adding blackberry10 platform on any workstation OS,
adds subdomain whitelisting and includes several bug fixes.</p>
-
-<p>To upgrade:</p>
-
-<pre><code>npm install -g cordova
-cd my_project
-cordova platform update blackberry10@3.8.0</code></pre>
-
-<p>To add it explicitly:</p>
-
-<pre><code>cordova platform add blackberry10@3.8.0 --save</code></pre>
-
-<p>For non-CLI projects or for pre-3.0 projects, refer to the <a href="http://cordova.apache.org/docs/en/edge/guide_platforms_index.md.html">upgrade
guides</a>.</p>
-
-      <div style="padding-bottom:2em"><a href="//cordova.apache.org/announcements/2015/09/05/cordova-blackberry-3.8.0.html">Read
More</a></div>
-    
   </ul>
   
   <p>

Added: cordova/site/public/news/2015/09/21/file-transfer-release.html
URL: http://svn.apache.org/viewvc/cordova/site/public/news/2015/09/21/file-transfer-release.html?rev=1704444&view=auto
==============================================================================
--- cordova/site/public/news/2015/09/21/file-transfer-release.html (added)
+++ cordova/site/public/news/2015/09/21/file-transfer-release.html Mon Sep 21 23:56:37 2015
@@ -0,0 +1,196 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <link rel="SHORTCUT ICON" href="//cordova.apache.org/favicon.ico"/>
+    <meta charset="utf-8">
+    <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
+    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
+    <meta name = "format-detection" content = "telephone=no">
+    <meta name="viewport" content="user-scalable=no, initial-scale=1, maximum-scale=1,
minimum-scale=1, width=device-width" />
+    <!-- Original Jekyll
+    <meta name="viewport" content="width=device-width">
+    -->
+    <title>cordova--plugin-file-transfer release: September 21, 2015</title>
+    <!-- syntax highlighting CSS -->
+    <link rel="stylesheet" href="//cordova.apache.org/css/syntax.css">
+    <!-- Custom CSS -->
+    <link rel="stylesheet" href="//cordova.apache.org/css/main.css">
+
+    <!-- Cordova CSS -->
+    <link rel="stylesheet" type="text/css" href="//cordova.apache.org/css/master.css">
+    <script src="//cordova.apache.org/js/smooth.pack.js" type="text/javascript"></script>
+</head>
+
+<body>
+    <a class="scroll-point pt-top" name="top">
+</a>
+<div id="header">
+    <div class="wrap">
+        <a class="logo" href="//cordova.apache.org/#top"></a>
+        <div class="menu">
+            <a href="//cordova.apache.org/#about">About</a>
+            <a href="//cordova.apache.org/#news">News</a>
+            <a href="http://cordova.apache.org/docs/en/5.0.0/">Documentation</a>
+            <a href="http://plugins.cordova.io/">Plugins</a>
+            <a href="//cordova.apache.org/#links">Quick Links</a>
+            <a href="//cordova.apache.org/#contribute">Contribute</a>
+            <a href="//cordova.apache.org/#mailing-list">Mailing List</a>
+        </div>
+        <form class="menu-dropdown">
+            <select onchange="location = this.options[this.selectedIndex].value;">
+                <option value="//cordova.apache.org/#about">About</option>
+                <option value="//cordova.apache.org/#news">News</option>
+                <option value="http://cordova.apache.org/docs/en/5.0.0/">Documentation</option>
+                <option value="http://plugins.cordova.io/">Plugins</option>
+                <option value="//cordova.apache.org/#links">Quick Links</option>
+                <option value="//cordova.apache.org/#contribute">Contribute</option>
+                <option value="//cordova.apache.org/#mailing-list">Mailing List</option>
+            </select>
+        </form>
+    </div>
+    <div class="shadow"></div>
+</div> <!-- /header -->
+<div class="header-placeholder"></div>
+
+    <div class="site">
+    <h2>cordova--plugin-file-transfer release: September 21, 2015</h2>
+    <div class="meta">Posted by: <a href=""></a></div>
+    <p class="meta">21 Sep 2015</p>
+    <div class="post">
+    
+<p>A medium security issue was discovered for cordova-plugin-file-transfer plugin.
We are releasing version <code>1.3.0</code> of <code>cordova-plugin-file-transer</code>
to address this security issue. We recommend that all applications currently using an older
version of this plugin to upgrade as soon as possible.</p>
+<hr />
+<p>You can update the plugin by removing it, and then re-adding it.</p>
+
+<p>E.g. To update your file-transer plugin:</p>
+
+<pre><code>cordova plugin rm cordova-plugin-file-transfer --save
+cordova plugin add cordova-plugin-file-transfer --save</code></pre>
+
+<p>The security issue is CVE-2015-5204.</p>
+
+<p>For your convenience, the text of the CVE is included here:</p>
+<!--more--><hr />
+<p>CVE-2015-5204: HTTP header injection vulerability in Apache Cordova File Transfer
Plugin for Android</p>
+
+<p>Severity: Medium</p>
+
+<p>Vendor: The Apache Software Foundation</p>
+
+<p>Versions Affected: Cordova Android File Transfer Plugin (1.2.1 and below)</p>
+
+<p>Description: Android applications built with the Cordova framework that use the
File Transfer Plugin can have the HTTP headers set by that plugin be manipulated by the filename
being uploaded. This allows for for cookies to be forged by the Cordova application, or for
the file payload to be replaced in some situations. Remotely hosted applications and applications
developed with Cordova that allow the user to manually enter the filename are especially vulnerable
to this issue.</p>
+
+<p>Upgrade path: Developers who are concerned about this issue should install version
1.3.0 or higher of the Cordova File Transfer Plugin and rebuild their applications. This plugin
now conforms with RFC-2616 and no longer allows non-ASCII characters and control characters
in header names or values. Any non-ASCII characters will be removed from the header. Developers
should be aware, and encode these characters before adding the values to the header.</p>
+
+<p>Credit: This issue was discovered by Muneaki Nishimura (Sony Digital Network Applications,
Inc.)</p>
+
+<p>=======================</p>
+
+<p>cordova-plugin-file-transfer@1.3.0</p>
+
+<ul>
+<li>Found issue where : is accepted as a valid header, this is obviously wrong</li>
+
+<li><a href="https://issues.apache.org/jira/browse/CB-9562">CB-9562</a>
Fixed incorrect headers handling on Android</li>
+
+<li>Fixing headers so they don’t accept non-ASCII</li>
+
+<li>updated tests to use cordova apache vm</li>
+
+<li><a href="https://issues.apache.org/jira/browse/CB-9493">CB-9493</a>
Fix file paths in file-transfer manual tests</li>
+
+<li><a href="https://issues.apache.org/jira/browse/CB-8816">CB-8816</a>
Add cdvfile:// support on windows</li>
+
+<li><a href="https://issues.apache.org/jira/browse/CB-9376">CB-9376</a>
Fix FileTransfer plugin manual tests issue - ‘undefined’ in paths</li>
+</ul>
+
+    </div>
+</div>
+
+    <a class="scroll-point" name="links"></a>
+<hr/>
+
+<div class="wrap quick-links-pane">
+    <h2 class="icon icon-quick-links">Quick Links</h2>
+    <br/>
+    <ul class="quick-links-header">
+        <li>General</li>
+        <li>Development</li>
+        <li class="last">Apache Software Foundation</li>
+    </ul>
+    <div class="clear"></div>
+</div>
+
+<div class="grid">
+    <div class="wrap">
+        <div class="list-container">
+            <ul class="list quick-links">
+                <li class="corner"></li>
+                <li><a href="//cordova.apache.org/index.html#about">About Cordova<span></span></a></li>
+
+                
+                <li><a href="http://projects.apache.org/projects/cordova.html">Apache
Project Page<span></span></a></li>
+                
+                <li><a href="http://www.apache.org/licenses/LICENSE-2.0">License<span></span></a></li>
+                
+
+                <li><a href="//cordova.apache.org/artwork.html">Artwork<span></span></a></li>
+            </ul>
+
+            <ul class="list quick-links">
+                <li class="corner"></li>
+                <li><a href="//cordova.apache.org/index.html#download">Download<span></span></a></li>
+                <li><a href="http://cordova.apache.org/docs/en/5.0.0/">Documentation<span></span></a></li>
+
+                
+                <li><a href="https://git-wip-us.apache.org/repos/asf">Source
Code<span></span></a></li>
+                
+                <li><a href="https://issues.apache.org/jira/browse/CB">Issue
Tracker<span></span></a></li>
+                
+                <li><a href="http://wiki.apache.org/cordova/">Wiki<span></span></a></li>
+                
+
+                <li><a href="//cordova.apache.org/index.html#mailing-list">Mailing
List<span></span></a></li>
+
+                <li><a href="http://stackoverflow.com/tags/cordova">Support<span></span></a></li>
+            </ul>
+
+            <ul class="list quick-links last">
+                <li class="corner"></li>
+                
+                <li><a href="http://www.apache.org/">About ASF<span></span></a></li>
+                
+                <li><a href="http://www.apache.org/foundation/thanks.html">Thanks<span></span></a></li>
+                
+                <li><a href="http://www.apache.org/foundation/sponsorship.html">Become
a Sponsor<span></span></a></li>
+                
+                <li><a href="http://www.apache.org/security/">Security<span></span></a></li>
+                
+            </ul>
+
+            <div class="clear"></div>
+        </div>
+    </div>
+</div>
+
+    <hr/>
+<div id="footer">
+    <p>Copyright © 2012, 2013 The Apache Software Foundation, Licensed under the
<a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.<br/>
+    Apache and the Apache feather logos are <a href="http://www.apache.org/foundation/marks/list/">trademarks</a>
of The Apache Software Foundation.
+    </p>
+    <a class="closing" href="#top"></a>
+</div>
+
+    <script>
+    (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
+    (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
+    m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
+    })(window,document,'script','//www.google-analytics.com/analytics.js','ga');
+
+    ga('create', 'UA-64283057-3', 'auto');
+    ga('send', 'pageview');
+</script>
+
+</body>
+</html>

Modified: cordova/site/public/rss.xml
URL: http://svn.apache.org/viewvc/cordova/site/public/rss.xml?rev=1704444&r1=1704443&r2=1704444&view=diff
==============================================================================
--- cordova/site/public/rss.xml (original)
+++ cordova/site/public/rss.xml Mon Sep 21 23:56:37 2015
@@ -5,8 +5,8 @@
         <description>Apache Cordova - Apache Cordova is a set of device APIs that allow
a web mobile app developer to access native device function from JavaScript.</description>
         <atom:link href="http://cordova.apache.org/rss.xml" rel="self" type="application/rss+xml"
/>
         <link>http://cordova.apache.org/rss.xml</link>
-        <lastBuildDate>Wed, 09 Sep 2015 21:46:38 -0700</lastBuildDate>
-        <pubDate>Wed, 09 Sep 2015 21:46:38 -0700</pubDate>
+        <lastBuildDate>Mon, 21 Sep 2015 16:42:00 -0700</lastBuildDate>
+        <pubDate>Mon, 21 Sep 2015 16:42:00 -0700</pubDate>
         <ttl>1800</ttl>
         <image>
             <url>http://cordova.apache.org</url>
@@ -19,6 +19,61 @@
 
 
         <item>
+                <title>cordova--plugin-file-transfer release: September 21, 2015</title>
+                <description>
+&lt;p&gt;A medium security issue was discovered for cordova-plugin-file-transfer
plugin. We are releasing version &lt;code&gt;1.3.0&lt;/code&gt; of &lt;code&gt;cordova-plugin-file-transer&lt;/code&gt;
to address this security issue. We recommend that all applications currently using an older
version of this plugin to upgrade as soon as possible.&lt;/p&gt;
+&lt;hr /&gt;
+&lt;p&gt;You can update the plugin by removing it, and then re-adding it.&lt;/p&gt;
+
+&lt;p&gt;E.g. To update your file-transer plugin:&lt;/p&gt;
+
+&lt;pre&gt;&lt;code&gt;cordova plugin rm cordova-plugin-file-transfer --save
+cordova plugin add cordova-plugin-file-transfer --save&lt;/code&gt;&lt;/pre&gt;
+
+&lt;p&gt;The security issue is CVE-2015-5204.&lt;/p&gt;
+
+&lt;p&gt;For your convenience, the text of the CVE is included here:&lt;/p&gt;
+&lt;!--more--&gt;&lt;hr /&gt;
+&lt;p&gt;CVE-2015-5204: HTTP header injection vulerability in Apache Cordova File
Transfer Plugin for Android&lt;/p&gt;
+
+&lt;p&gt;Severity: Medium&lt;/p&gt;
+
+&lt;p&gt;Vendor: The Apache Software Foundation&lt;/p&gt;
+
+&lt;p&gt;Versions Affected: Cordova Android File Transfer Plugin (1.2.1 and below)&lt;/p&gt;
+
+&lt;p&gt;Description: Android applications built with the Cordova framework that
use the File Transfer Plugin can have the HTTP headers set by that plugin be manipulated by
the filename being uploaded. This allows for for cookies to be forged by the Cordova application,
or for the file payload to be replaced in some situations. Remotely hosted applications and
applications developed with Cordova that allow the user to manually enter the filename are
especially vulnerable to this issue.&lt;/p&gt;
+
+&lt;p&gt;Upgrade path: Developers who are concerned about this issue should install
version 1.3.0 or higher of the Cordova File Transfer Plugin and rebuild their applications.
This plugin now conforms with RFC-2616 and no longer allows non-ASCII characters and control
characters in header names or values. Any non-ASCII characters will be removed from the header.
Developers should be aware, and encode these characters before adding the values to the header.&lt;/p&gt;
+
+&lt;p&gt;Credit: This issue was discovered by Muneaki Nishimura (Sony Digital Network
Applications, Inc.)&lt;/p&gt;
+
+&lt;p&gt;=======================&lt;/p&gt;
+
+&lt;p&gt;cordova-plugin-file-transfer@1.3.0&lt;/p&gt;
+
+&lt;ul&gt;
+&lt;li&gt;Found issue where : is accepted as a valid header, this is obviously wrong&lt;/li&gt;
+
+&lt;li&gt;&lt;a href=&quot;https://issues.apache.org/jira/browse/CB-9562&quot;&gt;CB-9562&lt;/a&gt;
Fixed incorrect headers handling on Android&lt;/li&gt;
+
+&lt;li&gt;Fixing headers so they don’t accept non-ASCII&lt;/li&gt;
+
+&lt;li&gt;updated tests to use cordova apache vm&lt;/li&gt;
+
+&lt;li&gt;&lt;a href=&quot;https://issues.apache.org/jira/browse/CB-9493&quot;&gt;CB-9493&lt;/a&gt;
Fix file paths in file-transfer manual tests&lt;/li&gt;
+
+&lt;li&gt;&lt;a href=&quot;https://issues.apache.org/jira/browse/CB-8816&quot;&gt;CB-8816&lt;/a&gt;
Add cdvfile:// support on windows&lt;/li&gt;
+
+&lt;li&gt;&lt;a href=&quot;https://issues.apache.org/jira/browse/CB-9376&quot;&gt;CB-9376&lt;/a&gt;
Fix FileTransfer plugin manual tests issue - ‘undefined’ in paths&lt;/li&gt;
+&lt;/ul&gt;
+</description>
+                <link>http://cordova.apache.org/news/2015/09/21/file-transfer-release.html</link>
+                <guid>http://cordova.apache.org/news/2015/09/21/file-transfer-release</guid>
+                <pubDate>Mon, 21 Sep 2015</pubDate>
+        </item>
+
+        <item>
                 <title>Tools Release: September 9th, 2015</title>
                 <description>
 &lt;p&gt;New versions of cordova tools are now live!&lt;/p&gt;

Added: cordova/site/www/_posts/2015-09-21-file-transfer-release.md
URL: http://svn.apache.org/viewvc/cordova/site/www/_posts/2015-09-21-file-transfer-release.md?rev=1704444&view=auto
==============================================================================
--- cordova/site/www/_posts/2015-09-21-file-transfer-release.md (added)
+++ cordova/site/www/_posts/2015-09-21-file-transfer-release.md Mon Sep 21 23:56:37 2015
@@ -0,0 +1,71 @@
+---
+layout: post
+author:
+name: Steve Gill
+url: https://twitter.com/stevesgill
+title:  "cordova--plugin-file-transfer release: September 21, 2015"
+categories: news
+tags: release plugins
+---
+
+A medium security issue was discovered for cordova-plugin-file-transfer plugin. We are releasing
version `1.3.0` of `cordova-plugin-file-transer` to address this security issue. We recommend
that all applications currently using an older version of this plugin to upgrade as soon as
possible. 
+
+----
+You can update the plugin by removing it, and then re-adding it.
+
+ E.g. To update your file-transer plugin:
+
+    cordova plugin rm cordova-plugin-file-transfer --save
+    cordova plugin add cordova-plugin-file-transfer --save
+
+The security issue is CVE-2015-5204.
+
+For your convenience, the text of the CVE is included here:
+
+<!--more-->
+
+---
+CVE-2015-5204: HTTP header injection vulerability in Apache Cordova File
+Transfer Plugin for Android
+
+Severity:
+ Medium
+
+Vendor:
+ The Apache Software Foundation
+
+Versions Affected:
+ Cordova Android File Transfer Plugin  (1.2.1 and below)
+
+Description:
+ Android applications built with the Cordova framework that use the File
+ Transfer Plugin can have the HTTP headers set by that plugin be manipulated
+ by the filename being uploaded.  This allows for for cookies to be forged
+ by the Cordova application, or for the file payload to be replaced in some
+ situations.  Remotely hosted applications and applications developed with
+ Cordova that allow the user to manually enter the filename are
+ especially vulnerable to this issue.
+
+Upgrade path:
+ Developers who are concerned about this issue should install version 1.3.0
+ or higher of the Cordova File Transfer Plugin and rebuild their
+ applications.  This plugin now conforms with RFC-2616 and no longer allows
+ non-ASCII characters and control characters in header names or values.
+ Any non-ASCII
+ characters will be removed from the header.  Developers should be aware,
+ and encode these
+ characters before adding the values to the header.
+
+Credit:
+ This issue was discovered by Muneaki Nishimura (Sony Digital Network Applications, Inc.)
+
+=======================
+
+cordova-plugin-file-transfer@1.3.0
+* Found issue where : is accepted as a valid header, this is obviously wrong
+* [CB-9562](https://issues.apache.org/jira/browse/CB-9562) Fixed incorrect headers handling
on Android
+* Fixing headers so they don't accept non-ASCII
+* updated tests to use cordova apache vm
+* [CB-9493](https://issues.apache.org/jira/browse/CB-9493) Fix file paths in file-transfer
manual tests
+* [CB-8816](https://issues.apache.org/jira/browse/CB-8816) Add cdvfile:// support on windows
+* [CB-9376](https://issues.apache.org/jira/browse/CB-9376) Fix FileTransfer plugin manual
tests issue - 'undefined' in paths



---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@cordova.apache.org
For additional commands, e-mail: commits-help@cordova.apache.org


Mime
View raw message