cordova-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From julio cesar sanchez <jcesarmob...@gmail.com>
Subject Re: Cordova Android < 3.5.1 XAS Security Vulnerability -- possibility of releasing a 2.7-based patched version
Date Wed, 08 Oct 2014 14:01:38 GMT
I'm updating the app right now.

I'm using plugman and it's working fine, the only problem I've found is, as
the app is old and I don't want to change the code, I tried to install the
file plugin from an older release (older than 1.0.0 release as it brought a
lot of changes) and got an error, but I'm not even sure if plugman supports
installing plugins from older releases.

I ended downloading the older release and instaled it from the folder, this
is working fine.


2014-10-02 21:37 GMT+02:00 julio cesar sanchez <jcesarmobile@gmail.com>:

> I've using it for two and a half year on iOS but only for a year on android
> Your blog post was very helpful (
> http://infil00p.org/android/cordova/phonegap/2012/12/04/advanced-tutorial-using-cordovawebview-on-android/
> )
>
> We had a meeting with IBM guys yesterday and I think they mentioned that
> they use the embedded webviews on worklight too
>
> 2014-10-02 19:16 GMT+02:00 Joe Bowser <bowserj@gmail.com>:
>
>>
>>
>> On Thu, Oct 2, 2014 at 9:57 AM, julio cesar sanchez <
>> jcesarmobile@gmail.com> wrote:
>>
>>> I have received the same mail.
>>>
>>> BTW, in one of my apps I use an embedded cordova webview and I'm not sure
>>> how to upgrade that app.
>>>
>>> My main problem is I don't know how to install the core plugins I need,
>>> that isn't explained on the embedding webviews guide. I don't think I can
>>> use the CLI as the project isn't created with the CLI and isn't a real
>>> cordova project.
>>>
>>> Any hints?
>>>
>>> Maybe using plugman?
>>>
>>
>> Yes! Use plugman to install your plugins. It's kind-of annoying, but it's
>> the best way to get them to work.  If there's bugs with Plugman, you should
>> file an issue that it doesn't support this use case.
>>
>> Also, thanks for using the Embedded Cordova WebView! I'm really glad that
>> there's real people who use it, since at times I was thinking I was making
>> a big issue out of nothing.
>>
>>
>>>
>>>
>>> 2014-10-02 17:52 GMT+02:00 Ian Clelland <iclelland@chromium.org>:
>>>
>>> > That patch fixes the startURL / errorURL issue, which is one of the
>>> major
>>> > components of the 3.5.1 security release (CVE-2014-3500).
>>> >
>>> > The other issue is CVE-2014-3502, which is that intent urls can be
>>> launched
>>> > by a Cordova app regardless of the whitelist settings. There isn't a
>>> patch
>>> > which addresses this on the 2.x branch (unless IBM has produced one --
>>> > Mike?) but it shouldn't be much work to simply remove the all of the
>>> code
>>> > that handles intent / sms / geo / tel / etc. URLs from the
>>> > shouldOverrideUrlLoading method of CordovaWebViewClient.java. If you
>>> remove
>>> > the intent-launching code from that method, then it should stop your
>>> > application from launching external applications.
>>> >
>>> > That being said, if you can afford to upgrade to 3.x (3.6.x now) then
>>> it
>>> > will be much easier for you to get additional security patches in the
>>> > future. We're not running or testing 2.x anymore, and can't guarantee,
>>> for
>>> > instance, that the patch that Andrew mentioned or the technique that I
>>> just
>>> > described will actually work.
>>> >
>>> > Ian
>>> >
>>> > On Thu, Oct 2, 2014 at 11:40 AM, Andrew Grieve <agrieve@chromium.org>
>>> > wrote:
>>> >
>>> > > That said, the relevant patch is here:
>>> > >
>>> > >
>>> > >
>>> >
>>> https://github.com/apache/cordova-android/commit/2ab81bc5aeb575fef3657cf48a671607e81ca37d
>>> > >
>>> > > (Ian / Joe, please correct me if there's more than that)
>>> > >
>>> > >
>>> > >
>>> > > On Thu, Oct 2, 2014 at 11:29 AM, Joe Bowser <bowserj@gmail.com>
>>> wrote:
>>> > >
>>> > >> No, you should upgrade to 3.5.1.  We have dropped support for
>>> Cordova
>>> > 2.x
>>> > >> months ago, and we recommend upgrading.
>>> > >>
>>> > >> On Thu, Oct 2, 2014 at 7:33 AM, <Steve.Wilson@bentley.com>
wrote:
>>> > >>
>>> > >> > We have released applications in the Google Play store based
on
>>> > Cordova
>>> > >> > 2.7.0 and have received notification from Google that these
apps
>>> are
>>> > >> > vulnerable to an Android Cordova security issue (
>>> > >> >
>>> http://cordova.apache.org/announcements/2014/08/04/android-351.html).
>>> > >> >
>>> > >> > Upgrading to Cordova 3.5.1 would require significant work
on our
>>> part.
>>> > >> Is
>>> > >> > there any possibility that you can release a patched Cordova
>>> Android
>>> > >> > version based on 2.7 that would fix this security vulnerability?
>>> > >> >
>>> > >> > Please let me know whether you think this would be possible
on
>>> your
>>> > >> part.
>>> > >> > Thank you!
>>> > >> >
>>> > >> > Thanks,
>>> > >> > Steve Wilson
>>> > >> >
>>> > >>
>>> > >
>>> > >
>>> >
>>>
>>
>>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message