touch-packages team mailing list archive

[Oliver Grawert <ogra@xxxxxxxxxx>]

@seth we are at least 6 months away from an actual "hybrid device" (none
of the phones sold today will be capable to run like this due to driver
or HW limitations). i have some hope that we have an actual confinement
fix in place once the converged device is actually out there ... but do
we really want to keep current customers that bought an ubuntu phone
because they belive in the added security of our concept vulnerable like
this ?

all i'm asking for is a fix that doesnt take another year, this bug is
10 months old and nobody has even started the work on the actual fix.
yes, intercepting file:// isnt shiny or nice but we have people out
there running around with this bug, will we just leave them in the cold
for another 6 months ?

** Also affects: canonical-devices-system-image
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to webbrowser-app in Ubuntu.
https://bugs.launchpad.net/bugs/1393515

Title:
  browser allows browsing the phone filesystem

Status in Canonical System Image:
  New
Status in webbrowser-app package in Ubuntu:
  Confirmed
Status in webbrowser-app package in Ubuntu RTM:
  Confirmed

Bug description:
  Using a URL like: file:/// gets you to the root of the phone
  filesystem ... i assume this is not actually desired since we even
  block the filemanager app to go higher up then $HOME without requiring
  a password.

  The webbrowser-app should either:
   * behave like the file-manager (see bug #1347010 for details)
   * file:/// should be disabled altogether on the phone
   * webbrowser-app should run confined which would force the use of
     content-hub by limiting file:/// access to those paths allowed by
     policy

To manage notifications about this bug go to:
https://bugs.launchpad.net/canonical-devices-system-image/+bug/1393515/+subscriptions