Cordova Android < 3.5.1 XAS Security Vulnerability -- possibility of releasing a 2.7-based patched version

[St...@bentley.com]

We have released applications in the Google Play store based on Cordova 2.7.0 and have received notification from Google that these apps are vulnerable to an Android Cordova security issue (http://cordova.apache.org/announcements/2014/08/04/android-351.html).

Upgrading to Cordova 3.5.1 would require significant work on our part. Is there any possibility that you can release a patched Cordova Android version based on 2.7 that would fix this security vulnerability?

Please let me know whether you think this would be possible on your part. Thank you!

Thanks,
Steve Wilson

Re: Cordova Android < 3.5.1 XAS Security Vulnerability -- possibility of releasing a 2.7-based patched version

[Michal Mocny <mm...@chromium.org>]

Steve, it is not feasible for us to patch 2.x (sorry), as the number of
vulnerabilities there is larger than just this issue.  It really is in your
best interests to migrate (and to continue to keep up with changes going
forward).  However, we can see what we can do about helping to guide you
forward here.

Ian got this email yesterday as well for an app he published a while ago.
Perhaps we should put up instructions for the potential flood of devs
asking "How do I upgrade"?  Even if it is just organizing and pointing at
our old 2.x -> 3.0 guides.

-Michal

On Thu, Oct 2, 2014 at 11:29 AM, Joe Bowser <bo...@gmail.com> wrote:

> No, you should upgrade to 3.5.1.  We have dropped support for Cordova 2.x
> months ago, and we recommend upgrading.
>
> On Thu, Oct 2, 2014 at 7:33 AM, <St...@bentley.com> wrote:
>
> > We have released applications in the Google Play store based on Cordova
> > 2.7.0 and have received notification from Google that these apps are
> > vulnerable to an Android Cordova security issue (
> > http://cordova.apache.org/announcements/2014/08/04/android-351.html).
> >
> > Upgrading to Cordova 3.5.1 would require significant work on our part. Is
> > there any possibility that you can release a patched Cordova Android
> > version based on 2.7 that would fix this security vulnerability?
> >
> > Please let me know whether you think this would be possible on your part.
> > Thank you!
> >
> > Thanks,
> > Steve Wilson
> >
>

Re: Cordova Android < 3.5.1 XAS Security Vulnerability -- possibility of releasing a 2.7-based patched version

[julio cesar sanchez <jc...@gmail.com>]

I'm updating the app right now.

I'm using plugman and it's working fine, the only problem I've found is, as
the app is old and I don't want to change the code, I tried to install the
file plugin from an older release (older than 1.0.0 release as it brought a
lot of changes) and got an error, but I'm not even sure if plugman supports
installing plugins from older releases.

I ended downloading the older release and instaled it from the folder, this
is working fine.


2014-10-02 21:37 GMT+02:00 julio cesar sanchez <jc...@gmail.com>:

> I've using it for two and a half year on iOS but only for a year on android
> Your blog post was very helpful (
> http://infil00p.org/android/cordova/phonegap/2012/12/04/advanced-tutorial-using-cordovawebview-on-android/
> )
>
> We had a meeting with IBM guys yesterday and I think they mentioned that
> they use the embedded webviews on worklight too
>
> 2014-10-02 19:16 GMT+02:00 Joe Bowser <bo...@gmail.com>:
>
>>
>>
>> On Thu, Oct 2, 2014 at 9:57 AM, julio cesar sanchez <
>> jcesarmobile@gmail.com> wrote:
>>
>>> I have received the same mail.
>>>
>>> BTW, in one of my apps I use an embedded cordova webview and I'm not sure
>>> how to upgrade that app.
>>>
>>> My main problem is I don't know how to install the core plugins I need,
>>> that isn't explained on the embedding webviews guide. I don't think I can
>>> use the CLI as the project isn't created with the CLI and isn't a real
>>> cordova project.
>>>
>>> Any hints?
>>>
>>> Maybe using plugman?
>>>
>>
>> Yes! Use plugman to install your plugins. It's kind-of annoying, but it's
>> the best way to get them to work.  If there's bugs with Plugman, you should
>> file an issue that it doesn't support this use case.
>>
>> Also, thanks for using the Embedded Cordova WebView! I'm really glad that
>> there's real people who use it, since at times I was thinking I was making
>> a big issue out of nothing.
>>
>>
>>>
>>>
>>> 2014-10-02 17:52 GMT+02:00 Ian Clelland <ic...@chromium.org>:
>>>
>>> > That patch fixes the startURL / errorURL issue, which is one of the
>>> major
>>> > components of the 3.5.1 security release (CVE-2014-3500).
>>> >
>>> > The other issue is CVE-2014-3502, which is that intent urls can be
>>> launched
>>> > by a Cordova app regardless of the whitelist settings. There isn't a
>>> patch
>>> > which addresses this on the 2.x branch (unless IBM has produced one --
>>> > Mike?) but it shouldn't be much work to simply remove the all of the
>>> code
>>> > that handles intent / sms / geo / tel / etc. URLs from the
>>> > shouldOverrideUrlLoading method of CordovaWebViewClient.java. If you
>>> remove
>>> > the intent-launching code from that method, then it should stop your
>>> > application from launching external applications.
>>> >
>>> > That being said, if you can afford to upgrade to 3.x (3.6.x now) then
>>> it
>>> > will be much easier for you to get additional security patches in the
>>> > future. We're not running or testing 2.x anymore, and can't guarantee,
>>> for
>>> > instance, that the patch that Andrew mentioned or the technique that I
>>> just
>>> > described will actually work.
>>> >
>>> > Ian
>>> >
>>> > On Thu, Oct 2, 2014 at 11:40 AM, Andrew Grieve <ag...@chromium.org>
>>> > wrote:
>>> >
>>> > > That said, the relevant patch is here:
>>> > >
>>> > >
>>> > >
>>> >
>>> https://github.com/apache/cordova-android/commit/2ab81bc5aeb575fef3657cf48a671607e81ca37d
>>> > >
>>> > > (Ian / Joe, please correct me if there's more than that)
>>> > >
>>> > >
>>> > >
>>> > > On Thu, Oct 2, 2014 at 11:29 AM, Joe Bowser <bo...@gmail.com>
>>> wrote:
>>> > >
>>> > >> No, you should upgrade to 3.5.1.  We have dropped support for
>>> Cordova
>>> > 2.x
>>> > >> months ago, and we recommend upgrading.
>>> > >>
>>> > >> On Thu, Oct 2, 2014 at 7:33 AM, <St...@bentley.com> wrote:
>>> > >>
>>> > >> > We have released applications in the Google Play store based on
>>> > Cordova
>>> > >> > 2.7.0 and have received notification from Google that these apps
>>> are
>>> > >> > vulnerable to an Android Cordova security issue (
>>> > >> >
>>> http://cordova.apache.org/announcements/2014/08/04/android-351.html).
>>> > >> >
>>> > >> > Upgrading to Cordova 3.5.1 would require significant work on our
>>> part.
>>> > >> Is
>>> > >> > there any possibility that you can release a patched Cordova
>>> Android
>>> > >> > version based on 2.7 that would fix this security vulnerability?
>>> > >> >
>>> > >> > Please let me know whether you think this would be possible on
>>> your
>>> > >> part.
>>> > >> > Thank you!
>>> > >> >
>>> > >> > Thanks,
>>> > >> > Steve Wilson
>>> > >> >
>>> > >>
>>> > >
>>> > >
>>> >
>>>
>>
>>
>

Re: Cordova Android < 3.5.1 XAS Security Vulnerability -- possibility of releasing a 2.7-based patched version

[julio cesar sanchez <jc...@gmail.com>]

I've using it for two and a half year on iOS but only for a year on android
Your blog post was very helpful (
http://infil00p.org/android/cordova/phonegap/2012/12/04/advanced-tutorial-using-cordovawebview-on-android/
)

We had a meeting with IBM guys yesterday and I think they mentioned that
they use the embedded webviews on worklight too

2014-10-02 19:16 GMT+02:00 Joe Bowser <bo...@gmail.com>:

>
>
> On Thu, Oct 2, 2014 at 9:57 AM, julio cesar sanchez <
> jcesarmobile@gmail.com> wrote:
>
>> I have received the same mail.
>>
>> BTW, in one of my apps I use an embedded cordova webview and I'm not sure
>> how to upgrade that app.
>>
>> My main problem is I don't know how to install the core plugins I need,
>> that isn't explained on the embedding webviews guide. I don't think I can
>> use the CLI as the project isn't created with the CLI and isn't a real
>> cordova project.
>>
>> Any hints?
>>
>> Maybe using plugman?
>>
>
> Yes! Use plugman to install your plugins. It's kind-of annoying, but it's
> the best way to get them to work.  If there's bugs with Plugman, you should
> file an issue that it doesn't support this use case.
>
> Also, thanks for using the Embedded Cordova WebView! I'm really glad that
> there's real people who use it, since at times I was thinking I was making
> a big issue out of nothing.
>
>
>>
>>
>> 2014-10-02 17:52 GMT+02:00 Ian Clelland <ic...@chromium.org>:
>>
>> > That patch fixes the startURL / errorURL issue, which is one of the
>> major
>> > components of the 3.5.1 security release (CVE-2014-3500).
>> >
>> > The other issue is CVE-2014-3502, which is that intent urls can be
>> launched
>> > by a Cordova app regardless of the whitelist settings. There isn't a
>> patch
>> > which addresses this on the 2.x branch (unless IBM has produced one --
>> > Mike?) but it shouldn't be much work to simply remove the all of the
>> code
>> > that handles intent / sms / geo / tel / etc. URLs from the
>> > shouldOverrideUrlLoading method of CordovaWebViewClient.java. If you
>> remove
>> > the intent-launching code from that method, then it should stop your
>> > application from launching external applications.
>> >
>> > That being said, if you can afford to upgrade to 3.x (3.6.x now) then it
>> > will be much easier for you to get additional security patches in the
>> > future. We're not running or testing 2.x anymore, and can't guarantee,
>> for
>> > instance, that the patch that Andrew mentioned or the technique that I
>> just
>> > described will actually work.
>> >
>> > Ian
>> >
>> > On Thu, Oct 2, 2014 at 11:40 AM, Andrew Grieve <ag...@chromium.org>
>> > wrote:
>> >
>> > > That said, the relevant patch is here:
>> > >
>> > >
>> > >
>> >
>> https://github.com/apache/cordova-android/commit/2ab81bc5aeb575fef3657cf48a671607e81ca37d
>> > >
>> > > (Ian / Joe, please correct me if there's more than that)
>> > >
>> > >
>> > >
>> > > On Thu, Oct 2, 2014 at 11:29 AM, Joe Bowser <bo...@gmail.com>
>> wrote:
>> > >
>> > >> No, you should upgrade to 3.5.1.  We have dropped support for Cordova
>> > 2.x
>> > >> months ago, and we recommend upgrading.
>> > >>
>> > >> On Thu, Oct 2, 2014 at 7:33 AM, <St...@bentley.com> wrote:
>> > >>
>> > >> > We have released applications in the Google Play store based on
>> > Cordova
>> > >> > 2.7.0 and have received notification from Google that these apps
>> are
>> > >> > vulnerable to an Android Cordova security issue (
>> > >> >
>> http://cordova.apache.org/announcements/2014/08/04/android-351.html).
>> > >> >
>> > >> > Upgrading to Cordova 3.5.1 would require significant work on our
>> part.
>> > >> Is
>> > >> > there any possibility that you can release a patched Cordova
>> Android
>> > >> > version based on 2.7 that would fix this security vulnerability?
>> > >> >
>> > >> > Please let me know whether you think this would be possible on your
>> > >> part.
>> > >> > Thank you!
>> > >> >
>> > >> > Thanks,
>> > >> > Steve Wilson
>> > >> >
>> > >>
>> > >
>> > >
>> >
>>
>
>

Re: Cordova Android < 3.5.1 XAS Security Vulnerability -- possibility of releasing a 2.7-based patched version

[Joe Bowser <bo...@gmail.com>]

On Thu, Oct 2, 2014 at 9:57 AM, julio cesar sanchez <jc...@gmail.com>
wrote:

> I have received the same mail.
>
> BTW, in one of my apps I use an embedded cordova webview and I'm not sure
> how to upgrade that app.
>
> My main problem is I don't know how to install the core plugins I need,
> that isn't explained on the embedding webviews guide. I don't think I can
> use the CLI as the project isn't created with the CLI and isn't a real
> cordova project.
>
> Any hints?
>
> Maybe using plugman?
>

Yes! Use plugman to install your plugins. It's kind-of annoying, but it's
the best way to get them to work.  If there's bugs with Plugman, you should
file an issue that it doesn't support this use case.

Also, thanks for using the Embedded Cordova WebView! I'm really glad that
there's real people who use it, since at times I was thinking I was making
a big issue out of nothing.


>
>
> 2014-10-02 17:52 GMT+02:00 Ian Clelland <ic...@chromium.org>:
>
> > That patch fixes the startURL / errorURL issue, which is one of the major
> > components of the 3.5.1 security release (CVE-2014-3500).
> >
> > The other issue is CVE-2014-3502, which is that intent urls can be
> launched
> > by a Cordova app regardless of the whitelist settings. There isn't a
> patch
> > which addresses this on the 2.x branch (unless IBM has produced one --
> > Mike?) but it shouldn't be much work to simply remove the all of the code
> > that handles intent / sms / geo / tel / etc. URLs from the
> > shouldOverrideUrlLoading method of CordovaWebViewClient.java. If you
> remove
> > the intent-launching code from that method, then it should stop your
> > application from launching external applications.
> >
> > That being said, if you can afford to upgrade to 3.x (3.6.x now) then it
> > will be much easier for you to get additional security patches in the
> > future. We're not running or testing 2.x anymore, and can't guarantee,
> for
> > instance, that the patch that Andrew mentioned or the technique that I
> just
> > described will actually work.
> >
> > Ian
> >
> > On Thu, Oct 2, 2014 at 11:40 AM, Andrew Grieve <ag...@chromium.org>
> > wrote:
> >
> > > That said, the relevant patch is here:
> > >
> > >
> > >
> >
> https://github.com/apache/cordova-android/commit/2ab81bc5aeb575fef3657cf48a671607e81ca37d
> > >
> > > (Ian / Joe, please correct me if there's more than that)
> > >
> > >
> > >
> > > On Thu, Oct 2, 2014 at 11:29 AM, Joe Bowser <bo...@gmail.com> wrote:
> > >
> > >> No, you should upgrade to 3.5.1.  We have dropped support for Cordova
> > 2.x
> > >> months ago, and we recommend upgrading.
> > >>
> > >> On Thu, Oct 2, 2014 at 7:33 AM, <St...@bentley.com> wrote:
> > >>
> > >> > We have released applications in the Google Play store based on
> > Cordova
> > >> > 2.7.0 and have received notification from Google that these apps are
> > >> > vulnerable to an Android Cordova security issue (
> > >> > http://cordova.apache.org/announcements/2014/08/04/android-351.html
> ).
> > >> >
> > >> > Upgrading to Cordova 3.5.1 would require significant work on our
> part.
> > >> Is
> > >> > there any possibility that you can release a patched Cordova Android
> > >> > version based on 2.7 that would fix this security vulnerability?
> > >> >
> > >> > Please let me know whether you think this would be possible on your
> > >> part.
> > >> > Thank you!
> > >> >
> > >> > Thanks,
> > >> > Steve Wilson
> > >> >
> > >>
> > >
> > >
> >
>

Re: Cordova Android < 3.5.1 XAS Security Vulnerability -- possibility of releasing a 2.7-based patched version

[julio cesar sanchez <jc...@gmail.com>]

I have received the same mail.

BTW, in one of my apps I use an embedded cordova webview and I'm not sure
how to upgrade that app.

My main problem is I don't know how to install the core plugins I need,
that isn't explained on the embedding webviews guide. I don't think I can
use the CLI as the project isn't created with the CLI and isn't a real
cordova project.

Any hints?

Maybe using plugman?


2014-10-02 17:52 GMT+02:00 Ian Clelland <ic...@chromium.org>:

> That patch fixes the startURL / errorURL issue, which is one of the major
> components of the 3.5.1 security release (CVE-2014-3500).
>
> The other issue is CVE-2014-3502, which is that intent urls can be launched
> by a Cordova app regardless of the whitelist settings. There isn't a patch
> which addresses this on the 2.x branch (unless IBM has produced one --
> Mike?) but it shouldn't be much work to simply remove the all of the code
> that handles intent / sms / geo / tel / etc. URLs from the
> shouldOverrideUrlLoading method of CordovaWebViewClient.java. If you remove
> the intent-launching code from that method, then it should stop your
> application from launching external applications.
>
> That being said, if you can afford to upgrade to 3.x (3.6.x now) then it
> will be much easier for you to get additional security patches in the
> future. We're not running or testing 2.x anymore, and can't guarantee, for
> instance, that the patch that Andrew mentioned or the technique that I just
> described will actually work.
>
> Ian
>
> On Thu, Oct 2, 2014 at 11:40 AM, Andrew Grieve <ag...@chromium.org>
> wrote:
>
> > That said, the relevant patch is here:
> >
> >
> >
> https://github.com/apache/cordova-android/commit/2ab81bc5aeb575fef3657cf48a671607e81ca37d
> >
> > (Ian / Joe, please correct me if there's more than that)
> >
> >
> >
> > On Thu, Oct 2, 2014 at 11:29 AM, Joe Bowser <bo...@gmail.com> wrote:
> >
> >> No, you should upgrade to 3.5.1.  We have dropped support for Cordova
> 2.x
> >> months ago, and we recommend upgrading.
> >>
> >> On Thu, Oct 2, 2014 at 7:33 AM, <St...@bentley.com> wrote:
> >>
> >> > We have released applications in the Google Play store based on
> Cordova
> >> > 2.7.0 and have received notification from Google that these apps are
> >> > vulnerable to an Android Cordova security issue (
> >> > http://cordova.apache.org/announcements/2014/08/04/android-351.html).
> >> >
> >> > Upgrading to Cordova 3.5.1 would require significant work on our part.
> >> Is
> >> > there any possibility that you can release a patched Cordova Android
> >> > version based on 2.7 that would fix this security vulnerability?
> >> >
> >> > Please let me know whether you think this would be possible on your
> >> part.
> >> > Thank you!
> >> >
> >> > Thanks,
> >> > Steve Wilson
> >> >
> >>
> >
> >
>

Re: Cordova Android < 3.5.1 XAS Security Vulnerability -- possibility of releasing a 2.7-based patched version

[Ian Clelland <ic...@chromium.org>]

That patch fixes the startURL / errorURL issue, which is one of the major
components of the 3.5.1 security release (CVE-2014-3500).

The other issue is CVE-2014-3502, which is that intent urls can be launched
by a Cordova app regardless of the whitelist settings. There isn't a patch
which addresses this on the 2.x branch (unless IBM has produced one --
Mike?) but it shouldn't be much work to simply remove the all of the code
that handles intent / sms / geo / tel / etc. URLs from the
shouldOverrideUrlLoading method of CordovaWebViewClient.java. If you remove
the intent-launching code from that method, then it should stop your
application from launching external applications.

That being said, if you can afford to upgrade to 3.x (3.6.x now) then it
will be much easier for you to get additional security patches in the
future. We're not running or testing 2.x anymore, and can't guarantee, for
instance, that the patch that Andrew mentioned or the technique that I just
described will actually work.

Ian

On Thu, Oct 2, 2014 at 11:40 AM, Andrew Grieve <ag...@chromium.org> wrote:

> That said, the relevant patch is here:
>
>
> https://github.com/apache/cordova-android/commit/2ab81bc5aeb575fef3657cf48a671607e81ca37d
>
> (Ian / Joe, please correct me if there's more than that)
>
>
>
> On Thu, Oct 2, 2014 at 11:29 AM, Joe Bowser <bo...@gmail.com> wrote:
>
>> No, you should upgrade to 3.5.1.  We have dropped support for Cordova 2.x
>> months ago, and we recommend upgrading.
>>
>> On Thu, Oct 2, 2014 at 7:33 AM, <St...@bentley.com> wrote:
>>
>> > We have released applications in the Google Play store based on Cordova
>> > 2.7.0 and have received notification from Google that these apps are
>> > vulnerable to an Android Cordova security issue (
>> > http://cordova.apache.org/announcements/2014/08/04/android-351.html).
>> >
>> > Upgrading to Cordova 3.5.1 would require significant work on our part.
>> Is
>> > there any possibility that you can release a patched Cordova Android
>> > version based on 2.7 that would fix this security vulnerability?
>> >
>> > Please let me know whether you think this would be possible on your
>> part.
>> > Thank you!
>> >
>> > Thanks,
>> > Steve Wilson
>> >
>>
>
>

Re: Cordova Android < 3.5.1 XAS Security Vulnerability -- possibility of releasing a 2.7-based patched version

[Andrew Grieve <ag...@chromium.org>]

That said, the relevant patch is here:

https://github.com/apache/cordova-android/commit/2ab81bc5aeb575fef3657cf48a671607e81ca37d

(Ian / Joe, please correct me if there's more than that)



On Thu, Oct 2, 2014 at 11:29 AM, Joe Bowser <bo...@gmail.com> wrote:

> No, you should upgrade to 3.5.1.  We have dropped support for Cordova 2.x
> months ago, and we recommend upgrading.
>
> On Thu, Oct 2, 2014 at 7:33 AM, <St...@bentley.com> wrote:
>
> > We have released applications in the Google Play store based on Cordova
> > 2.7.0 and have received notification from Google that these apps are
> > vulnerable to an Android Cordova security issue (
> > http://cordova.apache.org/announcements/2014/08/04/android-351.html).
> >
> > Upgrading to Cordova 3.5.1 would require significant work on our part. Is
> > there any possibility that you can release a patched Cordova Android
> > version based on 2.7 that would fix this security vulnerability?
> >
> > Please let me know whether you think this would be possible on your part.
> > Thank you!
> >
> > Thanks,
> > Steve Wilson
> >
>

Re: Cordova Android < 3.5.1 XAS Security Vulnerability -- possibility of releasing a 2.7-based patched version

[Joe Bowser <bo...@gmail.com>]

No, you should upgrade to 3.5.1.  We have dropped support for Cordova 2.x
months ago, and we recommend upgrading.

On Thu, Oct 2, 2014 at 7:33 AM, <St...@bentley.com> wrote:

> We have released applications in the Google Play store based on Cordova
> 2.7.0 and have received notification from Google that these apps are
> vulnerable to an Android Cordova security issue (
> http://cordova.apache.org/announcements/2014/08/04/android-351.html).
>
> Upgrading to Cordova 3.5.1 would require significant work on our part. Is
> there any possibility that you can release a patched Cordova Android
> version based on 2.7 that would fix this security vulnerability?
>
> Please let me know whether you think this would be possible on your part.
> Thank you!
>
> Thanks,
> Steve Wilson
>