touch-packages team mailing list archive

[Oliver Grawert <ogra@xxxxxxxxxx>]

@john ... i do not want to keep teh browser unconfined but currently we
have a widely gaping security hole that allows everyone to read any
cleartext password any third party app stores in the users home. i have
no doubt that adding confinement is the right solution, can you
implement it for the next OTA (yes this was rhetoric) ... ?

today if a user uses some third party facebook web app that stores his
PW in a cleartext cookie that user cant hand his device unlocked to
someone else without immediately risking that they can read his PW ... i
know intercepting the file protocol isnt a solution, but applying such a
band aid until the actual solution is in place to protect our users
seems accceptable to me vs having this issue open for another year with
actual customers out there being vulnerable ...

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to webbrowser-app in Ubuntu.
https://bugs.launchpad.net/bugs/1393515

Title:
  browser allows browsing the phone filesystem

Status in Canonical System Image:
  New
Status in webbrowser-app package in Ubuntu:
  Confirmed
Status in webbrowser-app package in Ubuntu RTM:
  Confirmed

Bug description:
  Using a URL like: file:/// gets you to the root of the phone
  filesystem ... i assume this is not actually desired since we even
  block the filemanager app to go higher up then $HOME without requiring
  a password.

  The webbrowser-app should either:
   * behave like the file-manager (see bug #1347010 for details)
   * file:/// should be disabled altogether on the phone
   * webbrowser-app should run confined which would force the use of
     content-hub by limiting file:/// access to those paths allowed by
     policy

To manage notifications about this bug go to:
https://bugs.launchpad.net/canonical-devices-system-image/+bug/1393515/+subscriptions