Ubuntu
webbrowser-app package

--webappUrlPatterns should be hardened

Bug #1226690 reported by Jamie Strandboge
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
webbrowser-app (Ubuntu)
Fix Released
Undecided
Alexandre Abreu
Saucy
Fix Released
Undecided
Alexandre Abreu

Bug Description

In discussing https://wiki.ubuntu.com/SecurityTeam/Specifications/WebAppsConfinement it was mentioned that apps can specify url patterns that are too lax. Eg:
UrlPatterns: http://mobile.twitter.com*
Starting URL: http://mobile.twitter.com.bad.guy

Options are to
* disallow the pattern (ie, fail to launch)
* try to cleanup the pattern
* just let the app review process handle it

I haven't looked at what webbrowser-app is doing and I'm not sure how much you want to do with it, but please consider multiple globs when performing your hardening. Non exhaustive potentially bad urls:
http://*
http://**
http://*/*
http://mobile.twitter.com*
http://mobile.twitter.c*m/*
http://mobile.twitter.com*/*
...

It might be easiest to:
* only allow one glob
* the glob must happen after a '/'
* the glob must be at the end

Related branches

lp:~abreu-alexandre/webbrowser-app/harden-accepted-set-of-webapp-url-pattern
PS Jenkins bot: Approve (continuous-integration)
Olivier Tilloy: Approve
Diff: 138 lines (+61/-3)
3 files modified
src/app/commandline-parser.cpp (+28/-1)
src/app/commandline-parser.h (+9/-0)
tests/unittests/commandline-parser/tst_CommandLineParserTests.cpp (+24/-2)
lp:ubuntu/saucy-proposed/webbrowser-app
Jamie Strandboge (jdstrand)
tags: added: application-confinement
Alexandre Abreu (abreu-alexandre)
Changed in webbrowser-app (Ubuntu Saucy):
assignee: nobody → Alexandre Abreu (abreu-alexandre)
status: New → In Progress
Olivier Tilloy (osomon)
Changed in webbrowser-app (Ubuntu Saucy):
status: In Progress → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package webbrowser-app - 0.22+13.10.20131004.1-0ubuntu1

---------------
webbrowser-app (0.22+13.10.20131004.1-0ubuntu1) saucy; urgency=low

  [ Alexandre Abreu ]
  * Harden the set of accepted url patterns. (LP: #1226690)
  * When the browser is requested to create a new tab (from a new window
    request), open the new tab externally when in webapp mode. (LP:
    #1221824)

  [ Robert Bruce Park ]
  * Enable hardening, and fix some lintian warnings.

  [ Olivier Tilloy ]
  * Use a different port for the test server when a zombie process
    doesn’t release the default one, and use cleanup functions instead
    of tearDown() for improved robustness. (LP: #1231492)
  * Live bookmarking functionality in the activity view. Known
    shortcoming: in the activity view, one should be allowed to bookmark
    a domain that contains only one page. This is currently not the
    case, it will be addressed separately.
  * Expose a single contextual menu for both images and hyperlinks. (LP:
    #1233282)

  [ Ubuntu daily release ]
  * Automatic snapshot from revision 367
 -- Ubuntu daily release <email address hidden> Fri, 04 Oct 2013 07:22:38 +0000

Changed in webbrowser-app (Ubuntu Saucy):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.