You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cordova.apache.org by GitBox <gi...@apache.org> on 2018/11/30 14:02:18 UTC
[GitHub] matiu opened a new issue #276: Question Regarding Restricting
FileSystem Access to certain parts of the code
matiu opened a new issue #276: Question Regarding Restricting FileSystem Access to certain parts of the code
URL: https://github.com/apache/cordova-plugin-file/issues/276
Related to the recent event-stream exploit (https://github.com/dominictarr/event-stream/issues/116)
The attacker used the fact `window.cordoba.file` is global and public access from anywhere in the code, as shown on this part of the injected malicious code:
``` javascript
if (window.cordova) try {
var e = cordova.file.dataDirectory;
resolveLocalFileSystemURL(e, function(e) {
e.getFile(t, {
create: !1
}, function(e) {
e.file(function(e) {
var t = new FileReader;
t.onloadend = function() {
return n(JSON.parse(t.result))
}, t.onerror = function(e) {
t.abort()
}, t.readAsText(e)
})
})
})
```
we are thinking different ways to prevent no-authorized part of the code to access the file system, but I wonder if there is any existing solution for that or you guys have already thought a possibility of doing so.
thanks,
matÃas
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@cordova.apache.org
For additional commands, e-mail: commits-help@cordova.apache.org