touch-packages team mailing list archive

Thread
Date

Re: [Bug 1393515] Re: browser allows browsing the phone filesystem

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: John Johansen <john.johansen@xxxxxxxxxxxxx>
Date: Mon, 28 Sep 2015 20:19:52 -0000
Reply-to: Bug 1393515 <1393515@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

On 09/28/2015 11:56 AM, Seth Arnold wrote:
> I think the web browser is different from the file browser. If you hand
> your phone to a stranger, unlocked, with the intention that they can use
> the phone to dial someone or view the wikipedia entry for a topic under
> debate or check the weather or whatever, you'd really like it to be
> difficult for the person to make your life miserable. Dangerous
> operations should require re-prompting with pin or password.
> 
> The file browser would allow someone to add .ssh/authorized_keys or
> other similar tricks. The web-browser is, as far as I know, a mostly-
> read interface that would have great deal of difficulty modifying
> content. Granted that there may be plaintext data on the phone that a
> user wouldn't want a stranger to have easy read access to, but that data
> should probably be stored encrypted anyway.
> 
Sorry I need a little more context. Is the browser using the content hub
to browse these files? If not it is a security problem, browsers can not
be trusted, there are too many attack surfaces/vulnerabilities and
allowing it direct access to the fs, except where explicitly allowed
by policy, violates our security model. In this case blocking file://
is not sufficient, that relies on the browser behaving correctly,
which means assuming there are no vulnerabilities in the browser.

If however the browsing is done via the content hub and the user is granting
permission to the browser to access files, then this is out of scope. That
is if the owner hands their phone over to a 3rd party it is the owners
responsibility to make sure their data is secured in ways that a regular
user can not access it (ie, encrypted or stored in a separate user
account).

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to webbrowser-app in Ubuntu.
https://bugs.launchpad.net/bugs/1393515

Title:
  browser allows browsing the phone filesystem

Status in webbrowser-app package in Ubuntu:
  Confirmed
Status in webbrowser-app package in Ubuntu RTM:
  Confirmed

Bug description:
  Using a URL like: file:/// gets you to the root of the phone
  filesystem ... i assume this is not actually desired since we even
  block the filemanager app to go higher up then $HOME without requiring
  a password.

  The webbrowser-app should either:
   * behave like the file-manager (see bug #1347010 for details)
   * file:/// should be disabled altogether on the phone
   * webbrowser-app should run confined which would force the use of
     content-hub by limiting file:/// access to those paths allowed by
     policy

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/webbrowser-app/+bug/1393515/+subscriptions

References

[Bug 1393515] [NEW] browser allows browsing the phone filesystem
From: Oliver Grawert, 2014-11-17
[Bug 1393515] Re: browser allows browsing the phone filesystem
From: Seth Arnold, 2015-09-28