[Bug 1197056] Re: SDK webview applications should not use ~/.local/share/*/.QtWebKit/ for their databases

Mon, 16 Sep 2013 08:26:21 -0700 

** Description changed:

  Ubuntu SDK applications that use webkit webviews store webkit databases in 
places like this:
  ~/.local/share/Qt Project/QtQmlViewer/.QtWebKit/WebpageIcons.db
  ~/.local/share/Qt Project/QtQmlViewer/.QtWebKit/cookies.db
  
  This results in AppArmor rules like the following:
  owner "@{HOME}/.local/share/Qt Project/QtQmlViewer/.QtWebKit/WebpageIcons.db" 
rwk,
  owner "@{HOME}/.local/share/Qt Project/QtQmlViewer/.QtWebKit/cookies.db" rwk,
  
  But these rules are too lenient because this could disclose data to a
  malicious app and a malicious app could poison the databases. Therefore,
- these paths need to be made application specific. Specifically:
- somewhere in $XDG_DATA_HOME/<app id> where '<app id>' will ultimately be
- the reverse domain name with Click packages (see bug #1197037 for
- details on '<app id>').
+ these paths need to be made application specific. Specifically
+ webbrowser-app should be adjusted to use $XDG_DATA_HOME/<app_pkgname>
+ for webapps, where '<app_pkgname>' is the "name" field in the Click
+ manifest (see bug #1197037 for details).
  
  The same bug affects cordova-ubuntu, but writes are to 
@{HOME}/.local/share/cordova-ubuntu-2.8/.QtWebKit resulting in these 
too-lenient rules:
    owner "@{HOME}/.local/share/cordova-ubuntu*/.QtWebKit/WebpageIcons.db" rwk,
    owner "@{HOME}/.local/share/cordova-ubuntu*/.QtWebKit/cookies.db" rwk,
    owner "@{HOME}/.local/share/cordova-ubuntu*/.QtWebKit/LocalStorage/"   r,
-   owner "@{HOME}/.local/share/cordova-ubuntu*/.QtWebKit/LocalStorage/**" rwk,
+   owner "@{HOME}/.local/share/cordova-ubuntu*/.QtWebKit/LocalStorage/**" rwk,

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1197056

Title:
  SDK webview applications should not use ~/.local/share/*/.QtWebKit/
  for their databases

To manage notifications about this bug go to:
https://bugs.launchpad.net/cordova-ubuntu/+bug/1197056/+subscriptions

-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to