Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 3E437200CDF for ; Thu, 17 Aug 2017 12:57:08 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id 3C8EE169FA8; Thu, 17 Aug 2017 10:57:08 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 83183169FA1 for ; Thu, 17 Aug 2017 12:57:07 +0200 (CEST) Received: (qmail 39974 invoked by uid 500); 17 Aug 2017 10:57:04 -0000 Mailing-List: contact issues-help@cordova.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Delivered-To: mailing list issues@cordova.apache.org Received: (qmail 39800 invoked by uid 99); 17 Aug 2017 10:57:03 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd2-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 17 Aug 2017 10:57:03 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd2-us-west.apache.org (ASF Mail Server at spamd2-us-west.apache.org) with ESMTP id A658A1A035D for ; Thu, 17 Aug 2017 10:57:02 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd2-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -100.001 X-Spam-Level: X-Spam-Status: No, score=-100.001 tagged_above=-999 required=6.31 tests=[RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_WHITELIST=-100] autolearn=disabled Received: from mx1-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd2-us-west.apache.org [10.40.0.9]) (amavisd-new, port 10024) with ESMTP id cyl4Cc4lvaXM for ; Thu, 17 Aug 2017 10:57:01 +0000 (UTC) Received: from mailrelay1-us-west.apache.org (mailrelay1-us-west.apache.org [209.188.14.139]) by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTP id 343675F6D3 for ; Thu, 17 Aug 2017 10:57:01 +0000 (UTC) Received: from jira-lw-us.apache.org (unknown [207.244.88.139]) by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id 6C998E02AA for ; Thu, 17 Aug 2017 10:57:00 +0000 (UTC) Received: from jira-lw-us.apache.org (localhost [127.0.0.1]) by jira-lw-us.apache.org (ASF Mail Server at jira-lw-us.apache.org) with ESMTP id 20EC02537F for ; Thu, 17 Aug 2017 10:57:00 +0000 (UTC) Date: Thu, 17 Aug 2017 10:57:00 +0000 (UTC) From: "GSS FED (JIRA)" To: issues@cordova.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Created] (CB-13186) HP Fortify SCA - Dynamic Code Evaluation: Unsafe Deserialization issue in cordova-plugin-file/src/android/AssetFilesystem.java MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 archived-at: Thu, 17 Aug 2017 10:57:08 -0000 GSS FED created CB-13186: ---------------------------- Summary: HP Fortify SCA - Dynamic Code Evaluation: Unsafe Dese= rialization issue in cordova-plugin-file/src/android/AssetFilesystem.java Key: CB-13186 URL: https://issues.apache.org/jira/browse/CB-13186 Project: Apache Cordova Issue Type: Bug Components: cordova-android, cordova-plugin-file Affects Versions: 5.1.1 Environment: Android 4 (Crosswalk) Reporter: GSS FED Assignee: Joe Bowser Dynamic Code Evaluation: Unsafe Deserialization [https://vulncat.hpefod.com/en/detail?id=3Ddesc.structural.java.dynamic_cod= e_evaluation_unsafe_deserialization] Abstract: =E5=9C=A8=E5=9F=B7=E8=A1=8C=E9=9A=8E=E6=AE=B5=EF=BC=8C=E9=82=84=E5=8E=9F=E5= =BA=8F=E5=88=97=E5=8C=96=E4=BD=BF=E7=94=A8=E8=80=85=E6=8E=A7=E5=88=B6=E7=9A= =84=E7=89=A9=E4=BB=B6=E4=B8=B2=E6=B5=81=E5=8F=AF=E8=83=BD=E6=9C=83=E8=AE=93= =E6=94=BB=E6=93=8A=E8=80=85=E5=9C=A8=E4=BC=BA=E6=9C=8D=E5=99=A8=E4=B8=8A=E5= =9F=B7=E8=A1=8C=E4=BB=BB=E6=84=8F=E7=A8=8B=E5=BC=8F=E7=A2=BC=E3=80=81=E6=BF= =AB=E7=94=A8=E6=87=89=E7=94=A8=E7=A8=8B=E5=BC=8F=E9=82=8F=E8=BC=AF=E5=92=8C= /=E6=88=96=E9=80=A0=E6=88=90=E9=98=BB=E6=96=B7=E6=9C=8D=E5=8B=99=E3=80=82 Line: 56 Snippet: {code:java} try { ois =3D new ObjectInputStream(assetManager.open("cdvasset.manife= st")); listCache =3D (Map<String, String[]>) ois.readObject(); l= engthCache =3D (Map<String, Long>) ois.readObject(); listCacheFromFil= e =3D true; {code} TargetFunction: FunctionCall: readObject() Line: 57 Snippet: {code:java} ois =3D new ObjectInputStream(assetManager.open("cdvasset.manifest&quo= t;)); listCache =3D (Map<String, String[]>) ois.readObject(); lengthC= ache =3D (Map<String, Long>) ois.readObject(); listCacheFromFile =3D = true; } catch (ClassNotFoundException e) { {code} TargetFunction: FunctionCall: readObject() -- This message was sent by Atlassian JIRA (v6.4.14#64029) --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscribe@cordova.apache.org For additional commands, e-mail: issues-help@cordova.apache.org