[
https://issues.apache.org/jira/browse/CB-9135?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14578622#comment-14578622
]
ASF GitHub Bot commented on CB-9135:
------------------------------------
GitHub user NoLongerLazyDhl opened a pull request:
https://github.com/apache/cordova-android/pull/181
CB-9135 fix the vulnerability bug
This is fixed in 4.0.x, but not in 3.7.x. The property
"LoadUrlTimeoutValue" still gets its value from intent not from configuration
file. This commit will fix this bug.
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/NoLongerLazyDhl/cordova-android 3.7.x
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/cordova-android/pull/181.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #181
----
commit 1b79f37951d959d1db2e24ba2d4513a608d034f1
Author: caoyr <[email protected]>
Date: 2015-06-09T09:07:56Z
CB-9135 fix the vulnerability bug
----
> Crash Apache Cordova App on Android using secondary configuration variable
> "loadurltimeoutvalue"
> ------------------------------------------------------------------------------------------------
>
> Key: CB-9135
> URL: https://issues.apache.org/jira/browse/CB-9135
> Project: Apache Cordova
> Issue Type: Bug
> Components: Android, CordovaLib, mobile-spec
> Environment: Android
> Reporter: xianghui
>
> It can remote exploit Apache Cordova App's secondary configuration variables
> on Android.
> The details are in the following links:
> 1.http://cordova.apache.org/announcements/2015/05/26/android-402.html
> 2.http://blog.trendmicro.com/trendlabs-security-intelligence/trend-micro-discovers-apache-vulnerability-that-allows-one-click-modification-of-android-apps/
> However, the fix isn't complete. Using the following adb command, it can
> still crash the Cordova App.
> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
> adb shell am start -n org.apache.mobilespec/.CordovaApp -es
> loadurltimeoutvalue "aaa"
> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
> The reason is that in CordovaWebView.java's loadUrlIntoView(final String url,
> boolean recreatePlugins) mehtod, it try to get "loadurltimeoutvalue" value
> from Activity's intent and then be parsed int using the following code.
> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
> final int loadUrlTimeoutValue =
> Integer.parseInt(this.getProperty("LoadUrlTimeoutValue", "20000"));
> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
> However, if the value isn't a int type, such as "aaa", it will throw
> "java.lang.NumberFormatException", and crash the App.
> The possible solution is to verify the value if it's a int type. If it's a
> valid int type value, we can use the value, or ignore the value and use the
> default.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
