← Back to team overview

ubuntu-apps-bugs team mailing list archive

[Bug 1226690] Re: --webappUrlPatterns should be hardened

 

This bug was fixed in the package webbrowser-app -
0.22+13.10.20131004.1-0ubuntu1

---------------
webbrowser-app (0.22+13.10.20131004.1-0ubuntu1) saucy; urgency=low

  [ Alexandre Abreu ]
  * Harden the set of accepted url patterns. (LP: #1226690)
  * When the browser is requested to create a new tab (from a new window
    request), open the new tab externally when in webapp mode. (LP:
    #1221824)

  [ Robert Bruce Park ]
  * Enable hardening, and fix some lintian warnings.

  [ Olivier Tilloy ]
  * Use a different port for the test server when a zombie process
    doesn’t release the default one, and use cleanup functions instead
    of tearDown() for improved robustness. (LP: #1231492)
  * Live bookmarking functionality in the activity view. Known
    shortcoming: in the activity view, one should be allowed to bookmark
    a domain that contains only one page. This is currently not the
    case, it will be addressed separately.
  * Expose a single contextual menu for both images and hyperlinks. (LP:
    #1233282)

  [ Ubuntu daily release ]
  * Automatic snapshot from revision 367
 -- Ubuntu daily release <ps-jenkins@xxxxxxxxxxxxxxxxxxx>   Fri, 04 Oct 2013 07:22:38 +0000

** Changed in: webbrowser-app (Ubuntu Saucy)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Apps bug tracking, which is subscribed to webbrowser-app in Ubuntu.
https://bugs.launchpad.net/bugs/1226690

Title:
  --webappUrlPatterns should be hardened

Status in “webbrowser-app” package in Ubuntu:
  Fix Released
Status in “webbrowser-app” source package in Saucy:
  Fix Released

Bug description:
  In discussing https://wiki.ubuntu.com/SecurityTeam/Specifications/WebAppsConfinement it was mentioned that apps can specify url patterns that are too lax. Eg:
  UrlPatterns: http://mobile.twitter.com*
  Starting URL: http://mobile.twitter.com.bad.guy

  Options are to
  * disallow the pattern (ie, fail to launch)
  * try to cleanup the pattern
  * just let the app review process handle it

  I haven't looked at what webbrowser-app is doing and I'm not sure how much you want to do with it, but please consider multiple globs when performing your hardening. Non exhaustive potentially bad urls:
  http://*
  http://**
  http://*/*
  http://mobile.twitter.com*
  http://mobile.twitter.c*m/*
  http://mobile.twitter.com*/*
  ...

  It might be easiest to:
  * only allow one glob
  * the glob must happen after a '/'
  * the glob must be at the end

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/webbrowser-app/+bug/1226690/+subscriptions