CB-7291: Restrict meaning of "*" in internal whitelist to just http and https
Project: http://git-wip-us.apache.org/repos/asf/cordova-amazon-fireos/repo Commit: http://git-wip-us.apache.org/repos/asf/cordova-amazon-fireos/commit/5f2ced5b Tree: http://git-wip-us.apache.org/repos/asf/cordova-amazon-fireos/tree/5f2ced5b Diff: http://git-wip-us.apache.org/repos/asf/cordova-amazon-fireos/diff/5f2ced5b Branch: refs/heads/master Commit: 5f2ced5ba09c1b0f7080537d082e474b98b4e7cc Parents: 8afa753 Author: Ian Clelland <[email protected]> Authored: Tue Aug 26 14:58:00 2014 -0400 Committer: Archana Naik <[email protected]> Committed: Thu Aug 28 11:12:58 2014 -0700 ---------------------------------------------------------------------- framework/src/org/apache/cordova/ConfigXmlParser.java | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cordova-amazon-fireos/blob/5f2ced5b/framework/src/org/apache/cordova/ConfigXmlParser.java ---------------------------------------------------------------------- diff --git a/framework/src/org/apache/cordova/ConfigXmlParser.java b/framework/src/org/apache/cordova/ConfigXmlParser.java index 57cf222..cc5b2fa 100644 --- a/framework/src/org/apache/cordova/ConfigXmlParser.java +++ b/framework/src/org/apache/cordova/ConfigXmlParser.java @@ -110,7 +110,19 @@ public class ConfigXmlParser { String origin = xml.getAttributeValue(null, "origin"); String subdomains = xml.getAttributeValue(null, "subdomains"); if (origin != null) { - whitelist.addWhiteListEntry(origin, (subdomains != null) && (subdomains.compareToIgnoreCase("true") == 0)); + if (external) { + externalWhitelist.addWhiteListEntry(origin, (subdomains != null) && (subdomains.compareToIgnoreCase("true") == 0)); + } else { + if ("*".equals(origin)) { + // Special-case * origin to mean http and https when used for internal + // whitelist. This prevents external urls like sms: and geo: from being + // handled internally. + internalWhitelist.addWhiteListEntry("http://*/*", false); + internalWhitelist.addWhiteListEntry("https://*/*", false); + } else { + internalWhitelist.addWhiteListEntry(origin, (subdomains != null) && (subdomains.compareToIgnoreCase("true") == 0)); + } + } } } else if (strNode.equals("preference")) {
