--webappUrlPatterns should be hardened
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
webbrowser-app (Ubuntu) |
Fix Released
|
Undecided
|
Alexandre Abreu | ||
Saucy |
Fix Released
|
Undecided
|
Alexandre Abreu |
Bug Description
In discussing https:/
UrlPatterns: http://
Starting URL: http://
Options are to
* disallow the pattern (ie, fail to launch)
* try to cleanup the pattern
* just let the app review process handle it
I haven't looked at what webbrowser-app is doing and I'm not sure how much you want to do with it, but please consider multiple globs when performing your hardening. Non exhaustive potentially bad urls:
http://
http://
http://
http://
http://
http://
...
It might be easiest to:
* only allow one glob
* the glob must happen after a '/'
* the glob must be at the end
Related branches
- PS Jenkins bot: Approve (continuous-integration)
- Olivier Tilloy: Approve
-
Diff: 138 lines (+61/-3)3 files modifiedsrc/app/commandline-parser.cpp (+28/-1)
src/app/commandline-parser.h (+9/-0)
tests/unittests/commandline-parser/tst_CommandLineParserTests.cpp (+24/-2)
tags: | added: application-confinement |
Changed in webbrowser-app (Ubuntu Saucy): | |
assignee: | nobody → Alexandre Abreu (abreu-alexandre) |
status: | New → In Progress |
Changed in webbrowser-app (Ubuntu Saucy): | |
status: | In Progress → Fix Committed |
This bug was fixed in the package webbrowser-app - 0.22+13. 10.20131004. 1-0ubuntu1
--------------- 10.20131004. 1-0ubuntu1) saucy; urgency=low
webbrowser-app (0.22+13.
[ Alexandre Abreu ]
* Harden the set of accepted url patterns. (LP: #1226690)
* When the browser is requested to create a new tab (from a new window
request), open the new tab externally when in webapp mode. (LP:
#1221824)
[ Robert Bruce Park ]
* Enable hardening, and fix some lintian warnings.
[ Olivier Tilloy ]
* Use a different port for the test server when a zombie process
doesn’t release the default one, and use cleanup functions instead
of tearDown() for improved robustness. (LP: #1231492)
* Live bookmarking functionality in the activity view. Known
shortcoming: in the activity view, one should be allowed to bookmark
a domain that contains only one page. This is currently not the
case, it will be addressed separately.
* Expose a single contextual menu for both images and hyperlinks. (LP:
#1233282)
[ Ubuntu daily release ]
* Automatic snapshot from revision 367
-- Ubuntu daily release <email address hidden> Fri, 04 Oct 2013 07:22:38 +0000