You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@weex.apache.org by GitBox <gi...@apache.org> on 2019/04/28 10:04:32 UTC

[GitHub] [incubator-weex] tuhaolam opened a new issue #2376: [Android]Security Issue:

tuhaolam opened a new issue #2376: [Android]Security Issue: 
URL: https://github.com/apache/incubator-weex/issues/2376
 
 
   ## 问题与建议
   ### 问题1
   以下api可通过webview对象向页面javascript导出java本地接口，可能导致任意命令执行
   > https://github.com/apache/incubator-weex/blob/15e8df0a1aeddbb6a41afcccee373944e68914a9/android/sdk/src/main/java/com/taobao/weex/ui/view/WXWebView.java
   ### 建议1
   建议禁用危险接口addJavascriptInterface导出Java类及方法；移除系统webkit内置的searchBoxJavaBridge_和accessibility和accessibilityTraversal这三个危险接口；
   
   ### 问题2
   以下文件中的ZipEntry.getName()方法未过滤"../"，可导致目录遍历: 
   > https://github.com/apache/incubator-weex/blob/a0222dbefad18e7d1fb0e75a6cf5f52e887e66d3/android/sdk/src/main/java/com/taobao/weex/utils/WXSoInstallMgrSdk.java
   ### 建议2
   ZipEntry.getName()该方法的返回值中如果包含有../跳转符，会存在目录遍历漏洞，请过滤../跳转符。

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services