cordova-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From julio cesar sanchez <jcesarmob...@gmail.com>
Subject Re: Cordova Android < 3.5.1 XAS Security Vulnerability -- possibility of releasing a 2.7-based patched version
Date Thu, 02 Oct 2014 16:57:53 GMT
I have received the same mail.

BTW, in one of my apps I use an embedded cordova webview and I'm not sure
how to upgrade that app.

My main problem is I don't know how to install the core plugins I need,
that isn't explained on the embedding webviews guide. I don't think I can
use the CLI as the project isn't created with the CLI and isn't a real
cordova project.

Any hints?

Maybe using plugman?


2014-10-02 17:52 GMT+02:00 Ian Clelland <iclelland@chromium.org>:

> That patch fixes the startURL / errorURL issue, which is one of the major
> components of the 3.5.1 security release (CVE-2014-3500).
>
> The other issue is CVE-2014-3502, which is that intent urls can be launched
> by a Cordova app regardless of the whitelist settings. There isn't a patch
> which addresses this on the 2.x branch (unless IBM has produced one --
> Mike?) but it shouldn't be much work to simply remove the all of the code
> that handles intent / sms / geo / tel / etc. URLs from the
> shouldOverrideUrlLoading method of CordovaWebViewClient.java. If you remove
> the intent-launching code from that method, then it should stop your
> application from launching external applications.
>
> That being said, if you can afford to upgrade to 3.x (3.6.x now) then it
> will be much easier for you to get additional security patches in the
> future. We're not running or testing 2.x anymore, and can't guarantee, for
> instance, that the patch that Andrew mentioned or the technique that I just
> described will actually work.
>
> Ian
>
> On Thu, Oct 2, 2014 at 11:40 AM, Andrew Grieve <agrieve@chromium.org>
> wrote:
>
> > That said, the relevant patch is here:
> >
> >
> >
> https://github.com/apache/cordova-android/commit/2ab81bc5aeb575fef3657cf48a671607e81ca37d
> >
> > (Ian / Joe, please correct me if there's more than that)
> >
> >
> >
> > On Thu, Oct 2, 2014 at 11:29 AM, Joe Bowser <bowserj@gmail.com> wrote:
> >
> >> No, you should upgrade to 3.5.1.  We have dropped support for Cordova
> 2.x
> >> months ago, and we recommend upgrading.
> >>
> >> On Thu, Oct 2, 2014 at 7:33 AM, <Steve.Wilson@bentley.com> wrote:
> >>
> >> > We have released applications in the Google Play store based on
> Cordova
> >> > 2.7.0 and have received notification from Google that these apps are
> >> > vulnerable to an Android Cordova security issue (
> >> > http://cordova.apache.org/announcements/2014/08/04/android-351.html).
> >> >
> >> > Upgrading to Cordova 3.5.1 would require significant work on our part.
> >> Is
> >> > there any possibility that you can release a patched Cordova Android
> >> > version based on 2.7 that would fix this security vulnerability?
> >> >
> >> > Please let me know whether you think this would be possible on your
> >> part.
> >> > Thank you!
> >> >
> >> > Thanks,
> >> > Steve Wilson
> >> >
> >>
> >
> >
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message