ubuntu-apps-bugs team mailing list archive
-
ubuntu-apps-bugs team
-
Mailing list archive
-
Message #00250
[Bug 1226690] Re: --webappUrlPatterns should be hardened
This bug was fixed in the package webbrowser-app -
0.22+13.10.20131004.1-0ubuntu1
---------------
webbrowser-app (0.22+13.10.20131004.1-0ubuntu1) saucy; urgency=low
[ Alexandre Abreu ]
* Harden the set of accepted url patterns. (LP: #1226690)
* When the browser is requested to create a new tab (from a new window
request), open the new tab externally when in webapp mode. (LP:
#1221824)
[ Robert Bruce Park ]
* Enable hardening, and fix some lintian warnings.
[ Olivier Tilloy ]
* Use a different port for the test server when a zombie process
doesn’t release the default one, and use cleanup functions instead
of tearDown() for improved robustness. (LP: #1231492)
* Live bookmarking functionality in the activity view. Known
shortcoming: in the activity view, one should be allowed to bookmark
a domain that contains only one page. This is currently not the
case, it will be addressed separately.
* Expose a single contextual menu for both images and hyperlinks. (LP:
#1233282)
[ Ubuntu daily release ]
* Automatic snapshot from revision 367
-- Ubuntu daily release <ps-jenkins@xxxxxxxxxxxxxxxxxxx> Fri, 04 Oct 2013 07:22:38 +0000
** Changed in: webbrowser-app (Ubuntu Saucy)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Apps bug tracking, which is subscribed to webbrowser-app in Ubuntu.
https://bugs.launchpad.net/bugs/1226690
Title:
--webappUrlPatterns should be hardened
Status in “webbrowser-app” package in Ubuntu:
Fix Released
Status in “webbrowser-app” source package in Saucy:
Fix Released
Bug description:
In discussing https://wiki.ubuntu.com/SecurityTeam/Specifications/WebAppsConfinement it was mentioned that apps can specify url patterns that are too lax. Eg:
UrlPatterns: http://mobile.twitter.com*
Starting URL: http://mobile.twitter.com.bad.guy
Options are to
* disallow the pattern (ie, fail to launch)
* try to cleanup the pattern
* just let the app review process handle it
I haven't looked at what webbrowser-app is doing and I'm not sure how much you want to do with it, but please consider multiple globs when performing your hardening. Non exhaustive potentially bad urls:
http://*
http://**
http://*/*
http://mobile.twitter.com*
http://mobile.twitter.c*m/*
http://mobile.twitter.com*/*
...
It might be easiest to:
* only allow one glob
* the glob must happen after a '/'
* the glob must be at the end
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/webbrowser-app/+bug/1226690/+subscriptions