touch-packages team mailing list archive

Thread
Date

[Bug 1393515] Re: browser allows browsing the phone filesystem

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: Oliver Grawert <ogra@xxxxxxxxxx>
Date: Mon, 28 Sep 2015 19:56:51 -0000
Reply-to: Bug 1393515 <1393515@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

well, we store at least a plaintext password in the syncevolution
settings which the article i linked to complains about ...

and you cant really make sure that an app doesnt do the same in its applicatiopn config dir, we simply dont control that. 
so having the browser ignore or deny the file:// protocol would be a quick way to prevent that (and i must say i personally dont really see a need to support file:/// on a phone)

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to webbrowser-app in Ubuntu.
https://bugs.launchpad.net/bugs/1393515

Title:
  browser allows browsing the phone filesystem

Status in webbrowser-app package in Ubuntu:
  Confirmed
Status in webbrowser-app package in Ubuntu RTM:
  Confirmed

Bug description:
  Using a URL like: file:/// gets you to the root of the phone
  filesystem ... i assume this is not actually desired since we even
  block the filemanager app to go higher up then $HOME without requiring
  a password.

  The webbrowser-app should either:
   * behave like the file-manager (see bug #1347010 for details)
   * file:/// should be disabled altogether on the phone
   * webbrowser-app should run confined which would force the use of
     content-hub by limiting file:/// access to those paths allowed by
     policy

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/webbrowser-app/+bug/1393515/+subscriptions

Follow ups

Re: [Bug 1393515] Re: browser allows browsing the phone filesystem
From: John Johansen, 2015-09-28

References

[Bug 1393515] [NEW] browser allows browsing the phone filesystem
From: Oliver Grawert, 2014-11-17