touch-packages team mailing list archive

Thread
Date

Re: [Bug 1393515] Re: browser allows browsing the phone filesystem

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: John Johansen <john.johansen@xxxxxxxxxxxxx>
Date: Mon, 28 Sep 2015 21:04:15 -0000
Reply-to: Bug 1393515 <1393515@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

On 09/28/2015 01:41 PM, Seth Arnold wrote:
> Oliver, except it's not a phone, it's a converged computing device; I
> use file:/// browsing in my desktop and expect to be able to do the same
> when I replace my desktop with my phone, monitor, keyboard, and mouse.
> 
> John, I agree that the long run should definitely include an AppArmor
> profile on the browser and use content hub when trying to browse outside
> of that. I just wanted to make the case that blocking file:/// access
> isn't the best way forward, and trying to implement a piece-meal
> security policy via UI modifications is building technical debt that's
> better left unsolved rather than handled poorly. Thanks for forcing a
> clarification.
> 
Oh I agree this has to be treated as a hybrid device, not just a phone.
The point I am trying to make is that even just temporarily blocking
file:// via the ui does not address the problem.

The browser still has file access and any vulnerability can take
advantage of it.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to webbrowser-app in Ubuntu.
https://bugs.launchpad.net/bugs/1393515

Title:
  browser allows browsing the phone filesystem

Status in webbrowser-app package in Ubuntu:
  Confirmed
Status in webbrowser-app package in Ubuntu RTM:
  Confirmed

Bug description:
  Using a URL like: file:/// gets you to the root of the phone
  filesystem ... i assume this is not actually desired since we even
  block the filemanager app to go higher up then $HOME without requiring
  a password.

  The webbrowser-app should either:
   * behave like the file-manager (see bug #1347010 for details)
   * file:/// should be disabled altogether on the phone
   * webbrowser-app should run confined which would force the use of
     content-hub by limiting file:/// access to those paths allowed by
     policy

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/webbrowser-app/+bug/1393515/+subscriptions

References

[Bug 1393515] [NEW] browser allows browsing the phone filesystem
From: Oliver Grawert, 2014-11-17
[Bug 1393515] Re: browser allows browsing the phone filesystem
From: Seth Arnold, 2015-09-28