cordova-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ian Clelland <iclell...@chromium.org>
Subject Re: Cordova Android < 3.5.1 XAS Security Vulnerability -- possibility of releasing a 2.7-based patched version
Date Thu, 02 Oct 2014 15:52:28 GMT
That patch fixes the startURL / errorURL issue, which is one of the major
components of the 3.5.1 security release (CVE-2014-3500).

The other issue is CVE-2014-3502, which is that intent urls can be launched
by a Cordova app regardless of the whitelist settings. There isn't a patch
which addresses this on the 2.x branch (unless IBM has produced one --
Mike?) but it shouldn't be much work to simply remove the all of the code
that handles intent / sms / geo / tel / etc. URLs from the
shouldOverrideUrlLoading method of CordovaWebViewClient.java. If you remove
the intent-launching code from that method, then it should stop your
application from launching external applications.

That being said, if you can afford to upgrade to 3.x (3.6.x now) then it
will be much easier for you to get additional security patches in the
future. We're not running or testing 2.x anymore, and can't guarantee, for
instance, that the patch that Andrew mentioned or the technique that I just
described will actually work.

Ian

On Thu, Oct 2, 2014 at 11:40 AM, Andrew Grieve <agrieve@chromium.org> wrote:

> That said, the relevant patch is here:
>
>
> https://github.com/apache/cordova-android/commit/2ab81bc5aeb575fef3657cf48a671607e81ca37d
>
> (Ian / Joe, please correct me if there's more than that)
>
>
>
> On Thu, Oct 2, 2014 at 11:29 AM, Joe Bowser <bowserj@gmail.com> wrote:
>
>> No, you should upgrade to 3.5.1.  We have dropped support for Cordova 2.x
>> months ago, and we recommend upgrading.
>>
>> On Thu, Oct 2, 2014 at 7:33 AM, <Steve.Wilson@bentley.com> wrote:
>>
>> > We have released applications in the Google Play store based on Cordova
>> > 2.7.0 and have received notification from Google that these apps are
>> > vulnerable to an Android Cordova security issue (
>> > http://cordova.apache.org/announcements/2014/08/04/android-351.html).
>> >
>> > Upgrading to Cordova 3.5.1 would require significant work on our part.
>> Is
>> > there any possibility that you can release a patched Cordova Android
>> > version based on 2.7 that would fix this security vulnerability?
>> >
>> > Please let me know whether you think this would be possible on your
>> part.
>> > Thank you!
>> >
>> > Thanks,
>> > Steve Wilson
>> >
>>
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message