touch-packages team mailing list archive

[Seth Arnold <1393515@xxxxxxxxxxxxxxxxxx>]

I think the web browser is different from the file browser. If you hand
your phone to a stranger, unlocked, with the intention that they can use
the phone to dial someone or view the wikipedia entry for a topic under
debate or check the weather or whatever, you'd really like it to be
difficult for the person to make your life miserable. Dangerous
operations should require re-prompting with pin or password.

The file browser would allow someone to add .ssh/authorized_keys or
other similar tricks. The web-browser is, as far as I know, a mostly-
read interface that would have great deal of difficulty modifying
content. Granted that there may be plaintext data on the phone that a
user wouldn't want a stranger to have easy read access to, but that data
should probably be stored encrypted anyway.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to webbrowser-app in Ubuntu.
https://bugs.launchpad.net/bugs/1393515

Title:
  browser allows browsing the phone filesystem

Status in webbrowser-app package in Ubuntu:
  Confirmed
Status in webbrowser-app package in Ubuntu RTM:
  Confirmed

Bug description:
  Using a URL like: file:/// gets you to the root of the phone
  filesystem ... i assume this is not actually desired since we even
  block the filemanager app to go higher up then $HOME without requiring
  a password.

  The webbrowser-app should either:
   * behave like the file-manager (see bug #1347010 for details)
   * file:/// should be disabled altogether on the phone
   * webbrowser-app should run confined which would force the use of
     content-hub by limiting file:/// access to those paths allowed by
     policy

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/webbrowser-app/+bug/1393515/+subscriptions