You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cordova.apache.org by st...@apache.org on 2015/09/22 01:56:37 UTC
svn commit: r1704444 - in /cordova/site: public/blog/index.html
public/index.html public/news/2015/09/21/
public/news/2015/09/21/file-transfer-release.html public/rss.xml
www/_posts/2015-09-21-file-transfer-release.md
Author: steven
Date: Mon Sep 21 23:56:37 2015
New Revision: 1704444
URL: http://svn.apache.org/viewvc?rev=1704444&view=rev
Log:
added file-transfer blog post
Added:
cordova/site/public/news/2015/09/21/
cordova/site/public/news/2015/09/21/file-transfer-release.html
cordova/site/www/_posts/2015-09-21-file-transfer-release.md
Modified:
cordova/site/public/blog/index.html
cordova/site/public/index.html
cordova/site/public/rss.xml
Modified: cordova/site/public/blog/index.html
URL: http://svn.apache.org/viewvc/cordova/site/public/blog/index.html?rev=1704444&r1=1704443&r2=1704444&view=diff
==============================================================================
--- cordova/site/public/blog/index.html (original)
+++ cordova/site/public/blog/index.html Mon Sep 21 23:56:37 2015
@@ -57,6 +57,11 @@
<ul class="posts">
<li>
+ <span>21 Sep 2015</span> »
+ <a href="//cordova.apache.org/news/2015/09/21/file-transfer-release.html">cordova--plugin-file-transfer release: September 21, 2015</a>
+ </li>
+
+ <li>
<span>09 Sep 2015</span> »
<a href="//cordova.apache.org/news/2015/09/09/tools-release.html">Tools Release: September 9th, 2015</a>
</li>
Modified: cordova/site/public/index.html
URL: http://svn.apache.org/viewvc/cordova/site/public/index.html?rev=1704444&r1=1704443&r2=1704444&view=diff
==============================================================================
--- cordova/site/public/index.html (original)
+++ cordova/site/public/index.html Mon Sep 21 23:56:37 2015
@@ -89,6 +89,23 @@
<h2>News <a href="/rss.xml" style="font-size:12pt; margin-left:10px">Subscribe</a></h2>
<ul class="posts">
+ <li><span>21 Sep 2015</span> » <a href="//cordova.apache.org/news/2015/09/21/file-transfer-release.html">cordova--plugin-file-transfer release: September 21, 2015</a>
+
+<p>A medium security issue was discovered for cordova-plugin-file-transfer plugin. We are releasing version <code>1.3.0</code> of <code>cordova-plugin-file-transer</code> to address this security issue. We recommend that all applications currently using an older version of this plugin to upgrade as soon as possible.</p>
+<hr />
+<p>You can update the plugin by removing it, and then re-adding it.</p>
+
+<p>E.g. To update your file-transer plugin:</p>
+
+<pre><code>cordova plugin rm cordova-plugin-file-transfer --save
+cordova plugin add cordova-plugin-file-transfer --save</code></pre>
+
+<p>The security issue is CVE-2015-5204.</p>
+
+<p>For your convenience, the text of the CVE is included here:</p>
+
+ <div style="padding-bottom:2em"><a href="//cordova.apache.org/news/2015/09/21/file-transfer-release.html">Read More</a></div>
+
<li><span>09 Sep 2015</span> » <a href="//cordova.apache.org/news/2015/09/09/tools-release.html">Tools Release: September 9th, 2015</a>
<p>New versions of cordova tools are now live!</p>
@@ -137,26 +154,6 @@
<div style="padding-bottom:2em"><a href="//cordova.apache.org/news/2015/09/08/CPR-readonly.html">Read More</a></div>
- <li><span>05 Sep 2015</span> » <a href="//cordova.apache.org/announcements/2015/09/05/cordova-blackberry-3.8.0.html">Apache Cordova BlackBerry 3.8.0</a>
-
-<p>We are happy to announce that <code>Cordova BlackBerry 3.8.0</code> has been released and will be the default BlackBerry version after next <code>cordova-cli</code> release.</p>
-
-<p>This release adds support for adding blackberry10 platform on any workstation OS, adds subdomain whitelisting and includes several bug fixes.</p>
-
-<p>To upgrade:</p>
-
-<pre><code>npm install -g cordova
-cd my_project
-cordova platform update blackberry10@3.8.0</code></pre>
-
-<p>To add it explicitly:</p>
-
-<pre><code>cordova platform add blackberry10@3.8.0 --save</code></pre>
-
-<p>For non-CLI projects or for pre-3.0 projects, refer to the <a href="http://cordova.apache.org/docs/en/edge/guide_platforms_index.md.html">upgrade guides</a>.</p>
-
- <div style="padding-bottom:2em"><a href="//cordova.apache.org/announcements/2015/09/05/cordova-blackberry-3.8.0.html">Read More</a></div>
-
</ul>
<p>
Added: cordova/site/public/news/2015/09/21/file-transfer-release.html
URL: http://svn.apache.org/viewvc/cordova/site/public/news/2015/09/21/file-transfer-release.html?rev=1704444&view=auto
==============================================================================
--- cordova/site/public/news/2015/09/21/file-transfer-release.html (added)
+++ cordova/site/public/news/2015/09/21/file-transfer-release.html Mon Sep 21 23:56:37 2015
@@ -0,0 +1,196 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <link rel="SHORTCUT ICON" href="//cordova.apache.org/favicon.ico"/>
+ <meta charset="utf-8">
+ <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
+ <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
+ <meta name = "format-detection" content = "telephone=no">
+ <meta name="viewport" content="user-scalable=no, initial-scale=1, maximum-scale=1, minimum-scale=1, width=device-width" />
+ <!-- Original Jekyll
+ <meta name="viewport" content="width=device-width">
+ -->
+ <title>cordova--plugin-file-transfer release: September 21, 2015</title>
+ <!-- syntax highlighting CSS -->
+ <link rel="stylesheet" href="//cordova.apache.org/css/syntax.css">
+ <!-- Custom CSS -->
+ <link rel="stylesheet" href="//cordova.apache.org/css/main.css">
+
+ <!-- Cordova CSS -->
+ <link rel="stylesheet" type="text/css" href="//cordova.apache.org/css/master.css">
+ <script src="//cordova.apache.org/js/smooth.pack.js" type="text/javascript"></script>
+</head>
+
+<body>
+ <a class="scroll-point pt-top" name="top">
+</a>
+<div id="header">
+ <div class="wrap">
+ <a class="logo" href="//cordova.apache.org/#top"></a>
+ <div class="menu">
+ <a href="//cordova.apache.org/#about">About</a>
+ <a href="//cordova.apache.org/#news">News</a>
+ <a href="http://cordova.apache.org/docs/en/5.0.0/">Documentation</a>
+ <a href="http://plugins.cordova.io/">Plugins</a>
+ <a href="//cordova.apache.org/#links">Quick Links</a>
+ <a href="//cordova.apache.org/#contribute">Contribute</a>
+ <a href="//cordova.apache.org/#mailing-list">Mailing List</a>
+ </div>
+ <form class="menu-dropdown">
+ <select onchange="location = this.options[this.selectedIndex].value;">
+ <option value="//cordova.apache.org/#about">About</option>
+ <option value="//cordova.apache.org/#news">News</option>
+ <option value="http://cordova.apache.org/docs/en/5.0.0/">Documentation</option>
+ <option value="http://plugins.cordova.io/">Plugins</option>
+ <option value="//cordova.apache.org/#links">Quick Links</option>
+ <option value="//cordova.apache.org/#contribute">Contribute</option>
+ <option value="//cordova.apache.org/#mailing-list">Mailing List</option>
+ </select>
+ </form>
+ </div>
+ <div class="shadow"></div>
+</div> <!-- /header -->
+<div class="header-placeholder"></div>
+
+ <div class="site">
+ <h2>cordova--plugin-file-transfer release: September 21, 2015</h2>
+ <div class="meta">Posted by: <a href=""></a></div>
+ <p class="meta">21 Sep 2015</p>
+ <div class="post">
+
+<p>A medium security issue was discovered for cordova-plugin-file-transfer plugin. We are releasing version <code>1.3.0</code> of <code>cordova-plugin-file-transer</code> to address this security issue. We recommend that all applications currently using an older version of this plugin to upgrade as soon as possible.</p>
+<hr />
+<p>You can update the plugin by removing it, and then re-adding it.</p>
+
+<p>E.g. To update your file-transer plugin:</p>
+
+<pre><code>cordova plugin rm cordova-plugin-file-transfer --save
+cordova plugin add cordova-plugin-file-transfer --save</code></pre>
+
+<p>The security issue is CVE-2015-5204.</p>
+
+<p>For your convenience, the text of the CVE is included here:</p>
+<!--more--><hr />
+<p>CVE-2015-5204: HTTP header injection vulerability in Apache Cordova File Transfer Plugin for Android</p>
+
+<p>Severity: Medium</p>
+
+<p>Vendor: The Apache Software Foundation</p>
+
+<p>Versions Affected: Cordova Android File Transfer Plugin (1.2.1 and below)</p>
+
+<p>Description: Android applications built with the Cordova framework that use the File Transfer Plugin can have the HTTP headers set by that plugin be manipulated by the filename being uploaded. This allows for for cookies to be forged by the Cordova application, or for the file payload to be replaced in some situations. Remotely hosted applications and applications developed with Cordova that allow the user to manually enter the filename are especially vulnerable to this issue.</p>
+
+<p>Upgrade path: Developers who are concerned about this issue should install version 1.3.0 or higher of the Cordova File Transfer Plugin and rebuild their applications. This plugin now conforms with RFC-2616 and no longer allows non-ASCII characters and control characters in header names or values. Any non-ASCII characters will be removed from the header. Developers should be aware, and encode these characters before adding the values to the header.</p>
+
+<p>Credit: This issue was discovered by Muneaki Nishimura (Sony Digital Network Applications, Inc.)</p>
+
+<p>=======================</p>
+
+<p>cordova-plugin-file-transfer@1.3.0</p>
+
+<ul>
+<li>Found issue where : is accepted as a valid header, this is obviously wrong</li>
+
+<li><a href="https://issues.apache.org/jira/browse/CB-9562">CB-9562</a> Fixed incorrect headers handling on Android</li>
+
+<li>Fixing headers so they donât accept non-ASCII</li>
+
+<li>updated tests to use cordova apache vm</li>
+
+<li><a href="https://issues.apache.org/jira/browse/CB-9493">CB-9493</a> Fix file paths in file-transfer manual tests</li>
+
+<li><a href="https://issues.apache.org/jira/browse/CB-8816">CB-8816</a> Add cdvfile:// support on windows</li>
+
+<li><a href="https://issues.apache.org/jira/browse/CB-9376">CB-9376</a> Fix FileTransfer plugin manual tests issue - âundefinedâ in paths</li>
+</ul>
+
+ </div>
+</div>
+
+ <a class="scroll-point" name="links"></a>
+<hr/>
+
+<div class="wrap quick-links-pane">
+ <h2 class="icon icon-quick-links">Quick Links</h2>
+ <br/>
+ <ul class="quick-links-header">
+ <li>General</li>
+ <li>Development</li>
+ <li class="last">Apache Software Foundation</li>
+ </ul>
+ <div class="clear"></div>
+</div>
+
+<div class="grid">
+ <div class="wrap">
+ <div class="list-container">
+ <ul class="list quick-links">
+ <li class="corner"></li>
+ <li><a href="//cordova.apache.org/index.html#about">About Cordova<span></span></a></li>
+
+
+ <li><a href="http://projects.apache.org/projects/cordova.html">Apache Project Page<span></span></a></li>
+
+ <li><a href="http://www.apache.org/licenses/LICENSE-2.0">License<span></span></a></li>
+
+
+ <li><a href="//cordova.apache.org/artwork.html">Artwork<span></span></a></li>
+ </ul>
+
+ <ul class="list quick-links">
+ <li class="corner"></li>
+ <li><a href="//cordova.apache.org/index.html#download">Download<span></span></a></li>
+ <li><a href="http://cordova.apache.org/docs/en/5.0.0/">Documentation<span></span></a></li>
+
+
+ <li><a href="https://git-wip-us.apache.org/repos/asf">Source Code<span></span></a></li>
+
+ <li><a href="https://issues.apache.org/jira/browse/CB">Issue Tracker<span></span></a></li>
+
+ <li><a href="http://wiki.apache.org/cordova/">Wiki<span></span></a></li>
+
+
+ <li><a href="//cordova.apache.org/index.html#mailing-list">Mailing List<span></span></a></li>
+
+ <li><a href="http://stackoverflow.com/tags/cordova">Support<span></span></a></li>
+ </ul>
+
+ <ul class="list quick-links last">
+ <li class="corner"></li>
+
+ <li><a href="http://www.apache.org/">About ASF<span></span></a></li>
+
+ <li><a href="http://www.apache.org/foundation/thanks.html">Thanks<span></span></a></li>
+
+ <li><a href="http://www.apache.org/foundation/sponsorship.html">Become a Sponsor<span></span></a></li>
+
+ <li><a href="http://www.apache.org/security/">Security<span></span></a></li>
+
+ </ul>
+
+ <div class="clear"></div>
+ </div>
+ </div>
+</div>
+
+ <hr/>
+<div id="footer">
+ <p>Copyright © 2012, 2013 The Apache Software Foundation, Licensed under the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.<br/>
+ Apache and the Apache feather logos are <a href="http://www.apache.org/foundation/marks/list/">trademarks</a> of The Apache Software Foundation.
+ </p>
+ <a class="closing" href="#top"></a>
+</div>
+
+ <script>
+ (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
+ (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
+ m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
+ })(window,document,'script','//www.google-analytics.com/analytics.js','ga');
+
+ ga('create', 'UA-64283057-3', 'auto');
+ ga('send', 'pageview');
+</script>
+
+</body>
+</html>
Modified: cordova/site/public/rss.xml
URL: http://svn.apache.org/viewvc/cordova/site/public/rss.xml?rev=1704444&r1=1704443&r2=1704444&view=diff
==============================================================================
--- cordova/site/public/rss.xml (original)
+++ cordova/site/public/rss.xml Mon Sep 21 23:56:37 2015
@@ -5,8 +5,8 @@
<description>Apache Cordova - Apache Cordova is a set of device APIs that allow a web mobile app developer to access native device function from JavaScript.</description>
<atom:link href="http://cordova.apache.org/rss.xml" rel="self" type="application/rss+xml" />
<link>http://cordova.apache.org/rss.xml</link>
- <lastBuildDate>Wed, 09 Sep 2015 21:46:38 -0700</lastBuildDate>
- <pubDate>Wed, 09 Sep 2015 21:46:38 -0700</pubDate>
+ <lastBuildDate>Mon, 21 Sep 2015 16:42:00 -0700</lastBuildDate>
+ <pubDate>Mon, 21 Sep 2015 16:42:00 -0700</pubDate>
<ttl>1800</ttl>
<image>
<url>http://cordova.apache.org</url>
@@ -19,6 +19,61 @@
<item>
+ <title>cordova--plugin-file-transfer release: September 21, 2015</title>
+ <description>
+<p>A medium security issue was discovered for cordova-plugin-file-transfer plugin. We are releasing version <code>1.3.0</code> of <code>cordova-plugin-file-transer</code> to address this security issue. We recommend that all applications currently using an older version of this plugin to upgrade as soon as possible.</p>
+<hr />
+<p>You can update the plugin by removing it, and then re-adding it.</p>
+
+<p>E.g. To update your file-transer plugin:</p>
+
+<pre><code>cordova plugin rm cordova-plugin-file-transfer --save
+cordova plugin add cordova-plugin-file-transfer --save</code></pre>
+
+<p>The security issue is CVE-2015-5204.</p>
+
+<p>For your convenience, the text of the CVE is included here:</p>
+<!--more--><hr />
+<p>CVE-2015-5204: HTTP header injection vulerability in Apache Cordova File Transfer Plugin for Android</p>
+
+<p>Severity: Medium</p>
+
+<p>Vendor: The Apache Software Foundation</p>
+
+<p>Versions Affected: Cordova Android File Transfer Plugin (1.2.1 and below)</p>
+
+<p>Description: Android applications built with the Cordova framework that use the File Transfer Plugin can have the HTTP headers set by that plugin be manipulated by the filename being uploaded. This allows for for cookies to be forged by the Cordova application, or for the file payload to be replaced in some situations. Remotely hosted applications and applications developed with Cordova that allow the user to manually enter the filename are especially vulnerable to this issue.</p>
+
+<p>Upgrade path: Developers who are concerned about this issue should install version 1.3.0 or higher of the Cordova File Transfer Plugin and rebuild their applications. This plugin now conforms with RFC-2616 and no longer allows non-ASCII characters and control characters in header names or values. Any non-ASCII characters will be removed from the header. Developers should be aware, and encode these characters before adding the values to the header.</p>
+
+<p>Credit: This issue was discovered by Muneaki Nishimura (Sony Digital Network Applications, Inc.)</p>
+
+<p>=======================</p>
+
+<p>cordova-plugin-file-transfer@1.3.0</p>
+
+<ul>
+<li>Found issue where : is accepted as a valid header, this is obviously wrong</li>
+
+<li><a href="https://issues.apache.org/jira/browse/CB-9562">CB-9562</a> Fixed incorrect headers handling on Android</li>
+
+<li>Fixing headers so they donât accept non-ASCII</li>
+
+<li>updated tests to use cordova apache vm</li>
+
+<li><a href="https://issues.apache.org/jira/browse/CB-9493">CB-9493</a> Fix file paths in file-transfer manual tests</li>
+
+<li><a href="https://issues.apache.org/jira/browse/CB-8816">CB-8816</a> Add cdvfile:// support on windows</li>
+
+<li><a href="https://issues.apache.org/jira/browse/CB-9376">CB-9376</a> Fix FileTransfer plugin manual tests issue - âundefinedâ in paths</li>
+</ul>
+</description>
+ <link>http://cordova.apache.org/news/2015/09/21/file-transfer-release.html</link>
+ <guid>http://cordova.apache.org/news/2015/09/21/file-transfer-release</guid>
+ <pubDate>Mon, 21 Sep 2015</pubDate>
+ </item>
+
+ <item>
<title>Tools Release: September 9th, 2015</title>
<description>
<p>New versions of cordova tools are now live!</p>
Added: cordova/site/www/_posts/2015-09-21-file-transfer-release.md
URL: http://svn.apache.org/viewvc/cordova/site/www/_posts/2015-09-21-file-transfer-release.md?rev=1704444&view=auto
==============================================================================
--- cordova/site/www/_posts/2015-09-21-file-transfer-release.md (added)
+++ cordova/site/www/_posts/2015-09-21-file-transfer-release.md Mon Sep 21 23:56:37 2015
@@ -0,0 +1,71 @@
+---
+layout: post
+author:
+name: Steve Gill
+url: https://twitter.com/stevesgill
+title: "cordova--plugin-file-transfer release: September 21, 2015"
+categories: news
+tags: release plugins
+---
+
+A medium security issue was discovered for cordova-plugin-file-transfer plugin. We are releasing version `1.3.0` of `cordova-plugin-file-transer` to address this security issue. We recommend that all applications currently using an older version of this plugin to upgrade as soon as possible.
+
+----
+You can update the plugin by removing it, and then re-adding it.
+
+ E.g. To update your file-transer plugin:
+
+ cordova plugin rm cordova-plugin-file-transfer --save
+ cordova plugin add cordova-plugin-file-transfer --save
+
+The security issue is CVE-2015-5204.
+
+For your convenience, the text of the CVE is included here:
+
+<!--more-->
+
+---
+CVE-2015-5204: HTTP header injection vulerability in Apache Cordova File
+Transfer Plugin for Android
+
+Severity:
+ Medium
+
+Vendor:
+ The Apache Software Foundation
+
+Versions Affected:
+ Cordova Android File Transfer Plugin (1.2.1 and below)
+
+Description:
+ Android applications built with the Cordova framework that use the File
+ Transfer Plugin can have the HTTP headers set by that plugin be manipulated
+ by the filename being uploaded. This allows for for cookies to be forged
+ by the Cordova application, or for the file payload to be replaced in some
+ situations. Remotely hosted applications and applications developed with
+ Cordova that allow the user to manually enter the filename are
+ especially vulnerable to this issue.
+
+Upgrade path:
+ Developers who are concerned about this issue should install version 1.3.0
+ or higher of the Cordova File Transfer Plugin and rebuild their
+ applications. This plugin now conforms with RFC-2616 and no longer allows
+ non-ASCII characters and control characters in header names or values.
+ Any non-ASCII
+ characters will be removed from the header. Developers should be aware,
+ and encode these
+ characters before adding the values to the header.
+
+Credit:
+ This issue was discovered by Muneaki Nishimura (Sony Digital Network Applications, Inc.)
+
+=======================
+
+cordova-plugin-file-transfer@1.3.0
+* Found issue where : is accepted as a valid header, this is obviously wrong
+* [CB-9562](https://issues.apache.org/jira/browse/CB-9562) Fixed incorrect headers handling on Android
+* Fixing headers so they don't accept non-ASCII
+* updated tests to use cordova apache vm
+* [CB-9493](https://issues.apache.org/jira/browse/CB-9493) Fix file paths in file-transfer manual tests
+* [CB-8816](https://issues.apache.org/jira/browse/CB-8816) Add cdvfile:// support on windows
+* [CB-9376](https://issues.apache.org/jira/browse/CB-9376) Fix FileTransfer plugin manual tests issue - 'undefined' in paths
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@cordova.apache.org
For additional commands, e-mail: commits-help@cordova.apache.org