xianghui created CB-9135:
----------------------------
Summary: Crash Apache Cordova App on Android using secondary
configuration variable "loadurltimeoutvalue"
Key: CB-9135
URL: https://issues.apache.org/jira/browse/CB-9135
Project: Apache Cordova
Issue Type: Bug
Components: Android, CordovaLib, mobile-spec
Environment: Android
Reporter: xianghui
It can remote exploit Apache Cordova App's secondary configuration variables on
Android.
The details are in the following links:
1.http://cordova.apache.org/announcements/2015/05/26/android-402.html
2.http://blog.trendmicro.com/trendlabs-security-intelligence/trend-micro-discovers-apache-vulnerability-that-allows-one-click-modification-of-android-apps/
However, the fix isn't complete. Using the following adb command, it can still
crash the Cordova App.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
adb shell am start -n org.apache.mobilespec/.CordovaApp -es loadurltimeoutvalue
"aaa"
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
The reason is that in CordovaWebView.java's loadUrlIntoView(final String url,
boolean recreatePlugins) mehtod, it try to get "loadurltimeoutvalue" value from
Activity's intent and then be parsed int using the following code.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
final int loadUrlTimeoutValue =
Integer.parseInt(this.getProperty("LoadUrlTimeoutValue", "20000"));
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
However, if the value isn't a int type, such as "aaa", it will throw
"java.lang.NumberFormatException", and crash the App.
The possible solution is to verify the value if it's a int type. If it's a
valid int type value, we can use the value, or ignore the value and use the
default.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
