On Thu, Oct 2, 2014 at 9:57 AM, julio cesar sanchez <jcesarmob...@gmail.com> wrote:
> I have received the same mail. > > BTW, in one of my apps I use an embedded cordova webview and I'm not sure > how to upgrade that app. > > My main problem is I don't know how to install the core plugins I need, > that isn't explained on the embedding webviews guide. I don't think I can > use the CLI as the project isn't created with the CLI and isn't a real > cordova project. > > Any hints? > > Maybe using plugman? > Yes! Use plugman to install your plugins. It's kind-of annoying, but it's the best way to get them to work. If there's bugs with Plugman, you should file an issue that it doesn't support this use case. Also, thanks for using the Embedded Cordova WebView! I'm really glad that there's real people who use it, since at times I was thinking I was making a big issue out of nothing. > > > 2014-10-02 17:52 GMT+02:00 Ian Clelland <iclell...@chromium.org>: > > > That patch fixes the startURL / errorURL issue, which is one of the major > > components of the 3.5.1 security release (CVE-2014-3500). > > > > The other issue is CVE-2014-3502, which is that intent urls can be > launched > > by a Cordova app regardless of the whitelist settings. There isn't a > patch > > which addresses this on the 2.x branch (unless IBM has produced one -- > > Mike?) but it shouldn't be much work to simply remove the all of the code > > that handles intent / sms / geo / tel / etc. URLs from the > > shouldOverrideUrlLoading method of CordovaWebViewClient.java. If you > remove > > the intent-launching code from that method, then it should stop your > > application from launching external applications. > > > > That being said, if you can afford to upgrade to 3.x (3.6.x now) then it > > will be much easier for you to get additional security patches in the > > future. We're not running or testing 2.x anymore, and can't guarantee, > for > > instance, that the patch that Andrew mentioned or the technique that I > just > > described will actually work. > > > > Ian > > > > On Thu, Oct 2, 2014 at 11:40 AM, Andrew Grieve <agri...@chromium.org> > > wrote: > > > > > That said, the relevant patch is here: > > > > > > > > > > > > https://github.com/apache/cordova-android/commit/2ab81bc5aeb575fef3657cf48a671607e81ca37d > > > > > > (Ian / Joe, please correct me if there's more than that) > > > > > > > > > > > > On Thu, Oct 2, 2014 at 11:29 AM, Joe Bowser <bows...@gmail.com> wrote: > > > > > >> No, you should upgrade to 3.5.1. We have dropped support for Cordova > > 2.x > > >> months ago, and we recommend upgrading. > > >> > > >> On Thu, Oct 2, 2014 at 7:33 AM, <steve.wil...@bentley.com> wrote: > > >> > > >> > We have released applications in the Google Play store based on > > Cordova > > >> > 2.7.0 and have received notification from Google that these apps are > > >> > vulnerable to an Android Cordova security issue ( > > >> > http://cordova.apache.org/announcements/2014/08/04/android-351.html > ). > > >> > > > >> > Upgrading to Cordova 3.5.1 would require significant work on our > part. > > >> Is > > >> > there any possibility that you can release a patched Cordova Android > > >> > version based on 2.7 that would fix this security vulnerability? > > >> > > > >> > Please let me know whether you think this would be possible on your > > >> part. > > >> > Thank you! > > >> > > > >> > Thanks, > > >> > Steve Wilson > > >> > > > >> > > > > > > > > >
