--webappUrlPatterns should be hardened

Bug #1226690 reported by Jamie Strandboge
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
webbrowser-app (Ubuntu)
Fix Released
Undecided
Alexandre Abreu
Saucy
Fix Released
Undecided
Alexandre Abreu

Bug Description

In discussing https://wiki.ubuntu.com/SecurityTeam/Specifications/WebAppsConfinement it was mentioned that apps can specify url patterns that are too lax. Eg:
UrlPatterns: http://mobile.twitter.com*
Starting URL: http://mobile.twitter.com.bad.guy

Options are to
* disallow the pattern (ie, fail to launch)
* try to cleanup the pattern
* just let the app review process handle it

I haven't looked at what webbrowser-app is doing and I'm not sure how much you want to do with it, but please consider multiple globs when performing your hardening. Non exhaustive potentially bad urls:
http://*
http://**
http://*/*
http://mobile.twitter.com*
http://mobile.twitter.c*m/*
http://mobile.twitter.com*/*
...

It might be easiest to:
* only allow one glob
* the glob must happen after a '/'
* the glob must be at the end

Related branches

tags: added: application-confinement
Changed in webbrowser-app (Ubuntu Saucy):
assignee: nobody → Alexandre Abreu (abreu-alexandre)
status: New → In Progress
Olivier Tilloy (osomon)
Changed in webbrowser-app (Ubuntu Saucy):
status: In Progress → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package webbrowser-app - 0.22+13.10.20131004.1-0ubuntu1

---------------
webbrowser-app (0.22+13.10.20131004.1-0ubuntu1) saucy; urgency=low

  [ Alexandre Abreu ]
  * Harden the set of accepted url patterns. (LP: #1226690)
  * When the browser is requested to create a new tab (from a new window
    request), open the new tab externally when in webapp mode. (LP:
    #1221824)

  [ Robert Bruce Park ]
  * Enable hardening, and fix some lintian warnings.

  [ Olivier Tilloy ]
  * Use a different port for the test server when a zombie process
    doesn’t release the default one, and use cleanup functions instead
    of tearDown() for improved robustness. (LP: #1231492)
  * Live bookmarking functionality in the activity view. Known
    shortcoming: in the activity view, one should be allowed to bookmark
    a domain that contains only one page. This is currently not the
    case, it will be addressed separately.
  * Expose a single contextual menu for both images and hyperlinks. (LP:
    #1233282)

  [ Ubuntu daily release ]
  * Automatic snapshot from revision 367
 -- Ubuntu daily release <email address hidden> Fri, 04 Oct 2013 07:22:38 +0000

Changed in webbrowser-app (Ubuntu Saucy):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers