Repository: cordova-plugin-file-transfer Updated Branches: refs/heads/master 68e97542d -> 82100791e
CB-12809: Google Play Blocker: Unsafe SSL TrustManager Defined Closes #187 Project: http://git-wip-us.apache.org/repos/asf/cordova-plugin-file-transfer/repo Commit: http://git-wip-us.apache.org/repos/asf/cordova-plugin-file-transfer/commit/82100791 Tree: http://git-wip-us.apache.org/repos/asf/cordova-plugin-file-transfer/tree/82100791 Diff: http://git-wip-us.apache.org/repos/asf/cordova-plugin-file-transfer/diff/82100791 Branch: refs/heads/master Commit: 82100791e3b2a0a7baef3749623413576ff406f1 Parents: 68e9754 Author: Simon MacDonald <[email protected]> Authored: Mon Aug 21 11:42:25 2017 -0400 Committer: Simon MacDonald <[email protected]> Committed: Thu Aug 31 17:33:27 2017 -0400 ---------------------------------------------------------------------- README.md | 4 +- src/android/FileTransfer.java | 99 -------------------------------------- 2 files changed, 2 insertions(+), 101 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cordova-plugin-file-transfer/blob/82100791/README.md ---------------------------------------------------------------------- diff --git a/README.md b/README.md index bcfc26a..a5c042e 100644 --- a/README.md +++ b/README.md @@ -102,7 +102,7 @@ __Parameters__: - __chunkedMode__: Whether to upload the data in chunked streaming mode. Defaults to `true`. (Boolean) - __headers__: A map of header name/header values. Use a hash to specify one or more than one value. On iOS, FireOS, and Android, if a header named Content-Type is present, multipart form data will NOT be used. (Object) -- __trustAllHosts__: Optional parameter, defaults to `false`. If set to `true`, it accepts all security certificates. This is useful since Android rejects self-signed security certificates. Not recommended for production use. Supported on Android and iOS. _(boolean)_ +- __trustAllHosts__: Optional parameter, defaults to `false`. If set to `true`, it accepts all security certificates. Not recommended for production use. Supported on iOS. _(boolean)_ ### Example @@ -218,7 +218,7 @@ __Parameters__: - __errorCallback__: A callback that executes if an error occurs when retrieving the `FileEntry`. Invoked with a `FileTransferError` object. _(Function)_ -- __trustAllHosts__: Optional parameter, defaults to `false`. If set to `true`, it accepts all security certificates. This is useful because Android rejects self-signed security certificates. Not recommended for production use. Supported on Android and iOS. _(boolean)_ +- __trustAllHosts__: Optional parameter, defaults to `false`. If set to `true`, it accepts all security certificates. Not recommended for production use. Supported on iOS. _(boolean)_ - __options__: Optional parameters, currently only supports headers (such as Authorization (Basic Authentication), etc). http://git-wip-us.apache.org/repos/asf/cordova-plugin-file-transfer/blob/82100791/src/android/FileTransfer.java ---------------------------------------------------------------------- diff --git a/src/android/FileTransfer.java b/src/android/FileTransfer.java index de15981..5a3c5d6 100644 --- a/src/android/FileTransfer.java +++ b/src/android/FileTransfer.java @@ -33,22 +33,11 @@ import java.lang.reflect.Field; import java.lang.reflect.Method; import java.net.HttpURLConnection; import java.net.URLConnection; -import java.security.cert.CertificateException; -import java.security.cert.X509Certificate; import java.util.HashMap; import java.util.Iterator; import java.util.zip.GZIPInputStream; import java.util.zip.Inflater; -import javax.net.ssl.HostnameVerifier; -import javax.net.ssl.HttpsURLConnection; -import javax.net.ssl.SSLContext; -import javax.net.ssl.SSLSession; -import javax.net.ssl.SSLSocketFactory; -import javax.net.ssl.TrustManager; -import javax.net.ssl.X509TrustManager; - -import org.apache.cordova.Config; import org.apache.cordova.CallbackContext; import org.apache.cordova.CordovaPlugin; import org.apache.cordova.CordovaResourceApi; @@ -284,7 +273,6 @@ public class FileTransfer extends CordovaPlugin { final String fileName = getArgument(args, 3, "image.jpg"); final String mimeType = getArgument(args, 4, "image/jpeg"); final JSONObject params = args.optJSONObject(5) == null ? new JSONObject() : args.optJSONObject(5); - final boolean trustEveryone = args.optBoolean(6); // Always use chunked mode unless set to false as per API final boolean chunkedMode = args.optBoolean(7) || args.isNull(7); // Look for headers on the params map for backwards compatibility with older Cordova versions. @@ -298,7 +286,6 @@ public class FileTransfer extends CordovaPlugin { LOG.d(LOG_TAG, "fileName: " + fileName); LOG.d(LOG_TAG, "mimeType: " + mimeType); LOG.d(LOG_TAG, "params: " + params); - LOG.d(LOG_TAG, "trustEveryone: " + trustEveryone); LOG.d(LOG_TAG, "chunkedMode: " + chunkedMode); LOG.d(LOG_TAG, "headers: " + headers); LOG.d(LOG_TAG, "objectId: " + objectId); @@ -334,8 +321,6 @@ public class FileTransfer extends CordovaPlugin { tmpSrc.getScheme() != null ? tmpSrc : Uri.fromFile(new File(source))); HttpURLConnection conn = null; - HostnameVerifier oldHostnameVerifier = null; - SSLSocketFactory oldSocketFactory = null; int totalBytes = 0; int fixedLength = -1; try { @@ -346,15 +331,6 @@ public class FileTransfer extends CordovaPlugin { //------------------ CLIENT REQUEST // Open a HTTP connection to the URL based on protocol conn = resourceApi.createHttpConnection(targetUri); - if (useHttps && trustEveryone) { - // Setup the HTTPS connection class to trust everyone - HttpsURLConnection https = (HttpsURLConnection)conn; - oldSocketFactory = trustAllHosts(https); - // Save the current hostnameVerifier - oldHostnameVerifier = https.getHostnameVerifier(); - // Setup the connection not to verify hostnames - https.setHostnameVerifier(DO_NOT_VERIFY); - } // Allow Inputs conn.setDoInput(true); @@ -566,15 +542,6 @@ public class FileTransfer extends CordovaPlugin { synchronized (activeRequests) { activeRequests.remove(objectId); } - - if (conn != null) { - // Revert back to the proper verifier and socket factories - if (trustEveryone && useHttps) { - HttpsURLConnection https = (HttpsURLConnection) conn; - https.setHostnameVerifier(oldHostnameVerifier); - https.setSSLSocketFactory(oldSocketFactory); - } - } } } }); @@ -597,50 +564,6 @@ public class FileTransfer extends CordovaPlugin { return new SimpleTrackingInputStream(conn.getInputStream()); } - // always verify the host - don't check for certificate - private static final HostnameVerifier DO_NOT_VERIFY = new HostnameVerifier() { - public boolean verify(String hostname, SSLSession session) { - return true; - } - }; - // Create a trust manager that does not validate certificate chains - private static final TrustManager[] trustAllCerts = new TrustManager[] { new X509TrustManager() { - public java.security.cert.X509Certificate[] getAcceptedIssuers() { - return new java.security.cert.X509Certificate[] {}; - } - - public void checkClientTrusted(X509Certificate[] chain, - String authType) throws CertificateException { - } - - public void checkServerTrusted(X509Certificate[] chain, - String authType) throws CertificateException { - } - } }; - - /** - * This function will install a trust manager that will blindly trust all SSL - * certificates. The reason this code is being added is to enable developers - * to do development using self signed SSL certificates on their web server. - * - * The standard HttpsURLConnection class will throw an exception on self - * signed certificates if this code is not run. - */ - private static SSLSocketFactory trustAllHosts(HttpsURLConnection connection) { - // Install the all-trusting trust manager - SSLSocketFactory oldFactory = connection.getSSLSocketFactory(); - try { - // Install our all trusting manager - SSLContext sc = SSLContext.getInstance("TLS"); - sc.init(null, trustAllCerts, new java.security.SecureRandom()); - SSLSocketFactory newFactory = sc.getSocketFactory(); - connection.setSSLSocketFactory(newFactory); - } catch (Exception e) { - LOG.e(LOG_TAG, e.getMessage(), e); - } - return oldFactory; - } - private static JSONObject createFileTransferError(int errorCode, String source, String target, URLConnection connection, Throwable throwable) { int httpStatus = 0; @@ -739,7 +662,6 @@ public class FileTransfer extends CordovaPlugin { final CordovaResourceApi resourceApi = webView.getResourceApi(); - final boolean trustEveryone = args.optBoolean(2); final String objectId = args.getString(3); final JSONObject headers = args.optJSONObject(4); @@ -809,8 +731,6 @@ public class FileTransfer extends CordovaPlugin { Uri targetUri = resourceApi.remapUri( tmpTarget.getScheme() != null ? tmpTarget : Uri.fromFile(new File(target))); HttpURLConnection connection = null; - HostnameVerifier oldHostnameVerifier = null; - SSLSocketFactory oldSocketFactory = null; File file = null; PluginResult result = null; TrackingInputStream inputStream = null; @@ -838,16 +758,6 @@ public class FileTransfer extends CordovaPlugin { // connect to server // Open a HTTP connection to the URL based on protocol connection = resourceApi.createHttpConnection(sourceUri); - if (useHttps && trustEveryone) { - // Setup the HTTPS connection class to trust everyone - HttpsURLConnection https = (HttpsURLConnection)connection; - oldSocketFactory = trustAllHosts(https); - // Save the current hostnameVerifier - oldHostnameVerifier = https.getHostnameVerifier(); - // Setup the connection not to verify hostnames - https.setHostnameVerifier(DO_NOT_VERIFY); - } - connection.setRequestMethod("GET"); // TODO: Make OkHttp use this CookieManager by default. @@ -973,15 +883,6 @@ public class FileTransfer extends CordovaPlugin { activeRequests.remove(objectId); } - if (connection != null) { - // Revert back to the proper verifier and socket factories - if (trustEveryone && useHttps) { - HttpsURLConnection https = (HttpsURLConnection) connection; - https.setHostnameVerifier(oldHostnameVerifier); - https.setSSLSocketFactory(oldSocketFactory); - } - } - if (result == null) { result = new PluginResult(PluginResult.Status.ERROR, createFileTransferError(CONNECTION_ERR, source, target, connection, null)); } --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
