You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cordova.apache.org by ag...@apache.org on 2014/11/06 21:49:27 UTC
[3/6] android commit: CB-7940 Disable exec bridge if bridgeSecret is
wrong
CB-7940 Disable exec bridge if bridgeSecret is wrong
Project: http://git-wip-us.apache.org/repos/asf/cordova-android/repo
Commit: http://git-wip-us.apache.org/repos/asf/cordova-android/commit/032ea8a8
Tree: http://git-wip-us.apache.org/repos/asf/cordova-android/tree/032ea8a8
Diff: http://git-wip-us.apache.org/repos/asf/cordova-android/diff/032ea8a8
Branch: refs/heads/4.0.x
Commit: 032ea8a8d386d8bcffc5de7fd3e4202478effb7d
Parents: fc63f66
Author: Andrew Grieve <ag...@chromium.org>
Authored: Tue Nov 4 15:57:51 2014 -0500
Committer: Andrew Grieve <ag...@chromium.org>
Committed: Tue Nov 4 15:57:51 2014 -0500
----------------------------------------------------------------------
framework/src/org/apache/cordova/CordovaBridge.java | 2 ++
1 file changed, 2 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cordova-android/blob/032ea8a8/framework/src/org/apache/cordova/CordovaBridge.java
----------------------------------------------------------------------
diff --git a/framework/src/org/apache/cordova/CordovaBridge.java b/framework/src/org/apache/cordova/CordovaBridge.java
index f3e48b6..becbd52 100644
--- a/framework/src/org/apache/cordova/CordovaBridge.java
+++ b/framework/src/org/apache/cordova/CordovaBridge.java
@@ -99,6 +99,8 @@ public class CordovaBridge {
}
// Bridge secret wrong and bridge not due to it being from the previous page.
if (expectedBridgeSecret < 0 || bridgeSecret != expectedBridgeSecret) {
+ Log.e(LOG_TAG, "Bridge access attempt with wrong secret token, possibly from malicious code. Disabling exec() bridge!");
+ clearBridgeSecret();
throw new IllegalAccessException();
}
return true;
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@cordova.apache.org
For additional commands, e-mail: commits-help@cordova.apache.org