touch-packages team mailing list archive

[John Johansen <john.johansen@xxxxxxxxxxxxx>]

On 09/28/2015 12:56 PM, Oliver Grawert wrote:
> well, we store at least a plaintext password in the syncevolution
> settings which the article i linked to complains about ...
> 
> and you cant really make sure that an app doesnt do the same in its applicatiopn config dir, we simply dont control that. 
> so having the browser ignore or deny the file:// protocol would be a quick way to prevent that (and i must say i personally dont really see a need to support file:/// on a phone)
> 
Again intercepting the file:// protocol on the ui is a band aid and does not fix the problem, if the file system is still available to any exploit. The only solution is correct confinement and using content hub style access and delegation of access.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to webbrowser-app in Ubuntu.
https://bugs.launchpad.net/bugs/1393515

Title:
  browser allows browsing the phone filesystem

Status in webbrowser-app package in Ubuntu:
  Confirmed
Status in webbrowser-app package in Ubuntu RTM:
  Confirmed

Bug description:
  Using a URL like: file:/// gets you to the root of the phone
  filesystem ... i assume this is not actually desired since we even
  block the filemanager app to go higher up then $HOME without requiring
  a password.

  The webbrowser-app should either:
   * behave like the file-manager (see bug #1347010 for details)
   * file:/// should be disabled altogether on the phone
   * webbrowser-app should run confined which would force the use of
     content-hub by limiting file:/// access to those paths allowed by
     policy

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/webbrowser-app/+bug/1393515/+subscriptions