I have received the same mail. BTW, in one of my apps I use an embedded cordova webview and I'm not sure how to upgrade that app.
My main problem is I don't know how to install the core plugins I need, that isn't explained on the embedding webviews guide. I don't think I can use the CLI as the project isn't created with the CLI and isn't a real cordova project. Any hints? Maybe using plugman? 2014-10-02 17:52 GMT+02:00 Ian Clelland <iclell...@chromium.org>: > That patch fixes the startURL / errorURL issue, which is one of the major > components of the 3.5.1 security release (CVE-2014-3500). > > The other issue is CVE-2014-3502, which is that intent urls can be launched > by a Cordova app regardless of the whitelist settings. There isn't a patch > which addresses this on the 2.x branch (unless IBM has produced one -- > Mike?) but it shouldn't be much work to simply remove the all of the code > that handles intent / sms / geo / tel / etc. URLs from the > shouldOverrideUrlLoading method of CordovaWebViewClient.java. If you remove > the intent-launching code from that method, then it should stop your > application from launching external applications. > > That being said, if you can afford to upgrade to 3.x (3.6.x now) then it > will be much easier for you to get additional security patches in the > future. We're not running or testing 2.x anymore, and can't guarantee, for > instance, that the patch that Andrew mentioned or the technique that I just > described will actually work. > > Ian > > On Thu, Oct 2, 2014 at 11:40 AM, Andrew Grieve <agri...@chromium.org> > wrote: > > > That said, the relevant patch is here: > > > > > > > https://github.com/apache/cordova-android/commit/2ab81bc5aeb575fef3657cf48a671607e81ca37d > > > > (Ian / Joe, please correct me if there's more than that) > > > > > > > > On Thu, Oct 2, 2014 at 11:29 AM, Joe Bowser <bows...@gmail.com> wrote: > > > >> No, you should upgrade to 3.5.1. We have dropped support for Cordova > 2.x > >> months ago, and we recommend upgrading. > >> > >> On Thu, Oct 2, 2014 at 7:33 AM, <steve.wil...@bentley.com> wrote: > >> > >> > We have released applications in the Google Play store based on > Cordova > >> > 2.7.0 and have received notification from Google that these apps are > >> > vulnerable to an Android Cordova security issue ( > >> > http://cordova.apache.org/announcements/2014/08/04/android-351.html). > >> > > >> > Upgrading to Cordova 3.5.1 would require significant work on our part. > >> Is > >> > there any possibility that you can release a patched Cordova Android > >> > version based on 2.7 that would fix this security vulnerability? > >> > > >> > Please let me know whether you think this would be possible on your > >> part. > >> > Thank you! > >> > > >> > Thanks, > >> > Steve Wilson > >> > > >> > > > > >
