ubuntu-webapps-bugs team mailing list archive
-
ubuntu-webapps-bugs team
-
Mailing list archive
-
Message #00208
[Bug 1197056] Re: SDK and cordova webview applications should not use ~/.local/share/*/.QtWebKit/ for their databases
This bug was fixed in the package apparmor-easyprof-ubuntu - 1.1.3
---------------
apparmor-easyprof-ubuntu (1.1.3) trusty; urgency=medium
* 1.1/webview: updates for oxide
* 1.1/ubuntu-sdk: remove workaround policy for LP: #1197056 (cordova webview
applications should not use ~/.local/share)
* 1.*/ubuntu-sdk: all to receive Open on org.freedesktop.Application to
allow UriHandler in the SDK to work with already running apps. Patch
thanks to Ken Vandine.
* implement autopkgtests
- add debian/tests/control
- add debian/tests/install_*
- adjust debian/control for XS-Testsuite
-- Jamie Strandboge <jamie@xxxxxxxxxx> Wed, 05 Feb 2014 16:54:26 -0500
** Changed in: apparmor-easyprof-ubuntu (Ubuntu Trusty)
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Ubuntu
WebApps bug tracking, which is subscribed to cordova-ubuntu in Ubuntu.
https://bugs.launchpad.net/bugs/1197056
Title:
SDK and cordova webview applications should not use
~/.local/share/*/.QtWebKit/ for their databases
Status in Cordova Ubuntu:
Confirmed
Status in Ubuntu UI SDK for HTML5 Apps:
Fix Committed
Status in Ubuntu UI Toolkit:
Fix Released
Status in “apparmor-easyprof-ubuntu” package in Ubuntu:
Fix Released
Status in “cordova-ubuntu” package in Ubuntu:
Confirmed
Status in “ubuntu-html5-theme” package in Ubuntu:
Fix Released
Status in “ubuntu-ui-toolkit” package in Ubuntu:
Fix Released
Status in “apparmor-easyprof-ubuntu” source package in Saucy:
Fix Released
Status in “ubuntu-ui-toolkit” source package in Saucy:
Fix Released
Status in “apparmor-easyprof-ubuntu” source package in Trusty:
Fix Released
Status in “cordova-ubuntu” source package in Trusty:
Confirmed
Status in “ubuntu-html5-theme” source package in Trusty:
Fix Released
Status in “ubuntu-ui-toolkit” source package in Trusty:
Fix Released
Bug description:
Ubuntu SDK applications that use webkit webviews store webkit databases in places like this:
~/.local/share/Qt Project/QtQmlViewer/.QtWebKit/WebpageIcons.db
~/.local/share/Qt Project/QtQmlViewer/.QtWebKit/cookies.db
This results in AppArmor rules like the following:
owner "@{HOME}/.local/share/Qt Project/QtQmlViewer/.QtWebKit/WebpageIcons.db" rwk,
owner "@{HOME}/.local/share/Qt Project/QtQmlViewer/.QtWebKit/cookies.db" rwk,
But these rules are too lenient because this could disclose data to a
malicious app and a malicious app could poison the databases.
Therefore, these paths need to be made application specific.
Specifically webbrowser-app should be adjusted to use
$XDG_DATA_HOME/<app_pkgname> for webapps, where '<app_pkgname>' is the
"name" field in the Click manifest (see bug #1197037 for details).
The same bug affects cordova-ubuntu, but writes are to @{HOME}/.local/share/cordova-ubuntu-2.8/.QtWebKit resulting in these too-lenient rules:
owner "@{HOME}/.local/share/cordova-ubuntu*/.QtWebKit/WebpageIcons.db" rwk,
owner "@{HOME}/.local/share/cordova-ubuntu*/.QtWebKit/cookies.db" rwk,
owner "@{HOME}/.local/share/cordova-ubuntu*/.QtWebKit/LocalStorage/" r,
owner "@{HOME}/.local/share/cordova-ubuntu*/.QtWebKit/LocalStorage/**" rwk,
To manage notifications about this bug go to:
https://bugs.launchpad.net/cordova-ubuntu/+bug/1197056/+subscriptions