fix(android): Add mitigation strategy for CVE-2020-6506 (#792)

2020-11-17 10:32:05 -06:00 · 2020-11-17 10:32:05 -06:00 · e1d0777ea0
commit e1d0777ea0
parent 2e6d63751f
2 changed files with 48 additions and 0 deletions
--- a/src/android/InAppBrowser.java
+++ b/src/android/InAppBrowser.java
@ -1042,6 +1042,9 @@ public class InAppBrowser extends CordovaPlugin {
                inAppWebView.setId(Integer.valueOf(6));
                inAppWebView.getSettings().setLoadWithOverviewMode(true);
                inAppWebView.getSettings().setUseWideViewPort(useWideViewPort);
+                // Multiple Windows set to true to mitigate Chromium security bug.
+                //  See: https://bugs.chromium.org/p/chromium/issues/detail?id=1083819
+                inAppWebView.getSettings().setSupportMultipleWindows(true);
                inAppWebView.requestFocus();
                inAppWebView.requestFocusFromTouch();

--- a/src/android/InAppChromeClient.java
+++ b/src/android/InAppChromeClient.java
@ -24,8 +24,12 @@ import org.apache.cordova.PluginResult;
 import org.json.JSONArray;
 import org.json.JSONException;

+import android.annotation.TargetApi;
+import android.os.Build;
+import android.os.Message;
 import android.webkit.JsPromptResult;
 import android.webkit.WebChromeClient;
+import android.webkit.WebResourceRequest;
 import android.webkit.WebStorage;
 import android.webkit.WebView;
 import android.webkit.WebViewClient;
@ -135,4 +139,45 @@ public class InAppChromeClient extends WebChromeClient {
        return false;
    }

+    /**
+     * The InAppWebBrowser WebView is configured to MultipleWindow mode to mitigate a security
+     * bug found in Chromium prior to version 83.0.4103.106.
+     * See https://bugs.chromium.org/p/chromium/issues/detail?id=1083819
+     *
+     * Valid Urls set to open in new window will be routed back to load in the original WebView.
+     *
+     * @param view
+     * @param isDialog
+     * @param isUserGesture
+     * @param resultMsg
+     * @return
+     */
+    @Override
+    public boolean onCreateWindow(WebView view, boolean isDialog, boolean isUserGesture, Message resultMsg) {
+        WebView inAppWebView = view;
+        final WebViewClient webViewClient =
+                new WebViewClient() {
+                    @TargetApi(Build.VERSION_CODES.LOLLIPOP)
+                    @Override
+                    public boolean shouldOverrideUrlLoading(WebView view, WebResourceRequest request) {
+                        inAppWebView.loadUrl(request.getUrl().toString());
+                        return true;
+                    }
+
+                    @Override
+                    public boolean shouldOverrideUrlLoading(WebView view, String url) {
+                        inAppWebView.loadUrl(url);
+                        return true;
+                    }
+                };
+
+        final WebView newWebView = new WebView(view.getContext());
+        newWebView.setWebViewClient(webViewClient);
+
+        final WebView.WebViewTransport transport = (WebView.WebViewTransport) resultMsg.obj;
+        transport.setWebView(newWebView);
+        resultMsg.sendToTarget();
+
+        return true;
+    }
 }