From 832e6265735ac75685625b917b81d374c55a3926 Mon Sep 17 00:00:00 2001 From: Chris Alfano Date: Mon, 27 Oct 2014 11:51:28 -0400 Subject: [PATCH 1/4] CB-7726 fix typo in gitignore: ant-built -> ant-build github: close #131 --- bin/templates/project/gitignore | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bin/templates/project/gitignore b/bin/templates/project/gitignore index a1c8ff71..6e524459 100644 --- a/bin/templates/project/gitignore +++ b/bin/templates/project/gitignore @@ -5,7 +5,7 @@ local.properties /gradlew.bat /gradle # Ant builds -ant-built +ant-build ant-gen # Eclipse builds gen From fc63f66e8970ab537dda1397a6b58e6d61252c17 Mon Sep 17 00:00:00 2001 From: Ian Clelland Date: Mon, 27 Oct 2014 15:26:38 -0400 Subject: [PATCH 2/4] CB-7758: Allow content-url-hosted pages to access the bridge This allows e.g. jsHybugger to create pages with access to Cordova APIs. We restrict access to content provider URLs which are at subdomains of the application itself, ie, begin with "content://com.your.package.id." --- framework/src/org/apache/cordova/CordovaBridge.java | 10 +++++++--- framework/src/org/apache/cordova/CordovaWebView.java | 2 +- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/framework/src/org/apache/cordova/CordovaBridge.java b/framework/src/org/apache/cordova/CordovaBridge.java index c3f10f3b..f3e48b69 100644 --- a/framework/src/org/apache/cordova/CordovaBridge.java +++ b/framework/src/org/apache/cordova/CordovaBridge.java @@ -37,12 +37,14 @@ public class CordovaBridge { private NativeToJsMessageQueue jsMessageQueue; private volatile int expectedBridgeSecret = -1; // written by UI thread, read by JS thread. private String loadedUrl; + private String appContentUrlPrefix; - public CordovaBridge(PluginManager pluginManager, NativeToJsMessageQueue jsMessageQueue) { + public CordovaBridge(PluginManager pluginManager, NativeToJsMessageQueue jsMessageQueue, String packageName) { this.pluginManager = pluginManager; this.jsMessageQueue = jsMessageQueue; + this.appContentUrlPrefix = "content://" + packageName + "."; } - + public String jsExec(int bridgeSecret, String service, String action, String callbackId, String arguments) throws JSONException, IllegalAccessException { if (!verifySecret("exec()", bridgeSecret)) { return null; @@ -165,7 +167,9 @@ public class CordovaBridge { // Protect against random iframes being able to talk through the bridge. // Trust only file URLs and the start URL's domain. // The extra origin.startsWith("http") is to protect against iframes with data: having "" as origin. - if (origin.startsWith("file:") || (origin.startsWith("http") && loadedUrl.startsWith(origin))) { + if (origin.startsWith("file:") || + origin.startsWith(this.appContentUrlPrefix) || + (origin.startsWith("http") && loadedUrl.startsWith(origin))) { // Enable the bridge int bridgeMode = Integer.parseInt(defaultValue.substring(9)); jsMessageQueue.setBridgeMode(bridgeMode); diff --git a/framework/src/org/apache/cordova/CordovaWebView.java b/framework/src/org/apache/cordova/CordovaWebView.java index 862f2ded..0c62b769 100755 --- a/framework/src/org/apache/cordova/CordovaWebView.java +++ b/framework/src/org/apache/cordova/CordovaWebView.java @@ -152,7 +152,7 @@ public class CordovaWebView extends WebView { super.setWebViewClient(webViewClient); pluginManager = new PluginManager(this, this.cordova, pluginEntries); - bridge = new CordovaBridge(pluginManager, new NativeToJsMessageQueue(this, cordova)); + bridge = new CordovaBridge(pluginManager, new NativeToJsMessageQueue(this, cordova), this.cordova.getActivity().getPackageName()); resourceApi = new CordovaResourceApi(this.getContext(), pluginManager); pluginManager.addService("App", "org.apache.cordova.App"); From 032ea8a8d386d8bcffc5de7fd3e4202478effb7d Mon Sep 17 00:00:00 2001 From: Andrew Grieve Date: Tue, 4 Nov 2014 15:57:51 -0500 Subject: [PATCH 3/4] CB-7940 Disable exec bridge if bridgeSecret is wrong --- framework/src/org/apache/cordova/CordovaBridge.java | 2 ++ 1 file changed, 2 insertions(+) diff --git a/framework/src/org/apache/cordova/CordovaBridge.java b/framework/src/org/apache/cordova/CordovaBridge.java index f3e48b69..becbd529 100644 --- a/framework/src/org/apache/cordova/CordovaBridge.java +++ b/framework/src/org/apache/cordova/CordovaBridge.java @@ -99,6 +99,8 @@ public class CordovaBridge { } // Bridge secret wrong and bridge not due to it being from the previous page. if (expectedBridgeSecret < 0 || bridgeSecret != expectedBridgeSecret) { + Log.e(LOG_TAG, "Bridge access attempt with wrong secret token, possibly from malicious code. Disabling exec() bridge!"); + clearBridgeSecret(); throw new IllegalAccessException(); } return true; From e78db000c611405ba35188fdf613b4d56f84516b Mon Sep 17 00:00:00 2001 From: Andrew Grieve Date: Thu, 6 Nov 2014 15:33:10 -0500 Subject: [PATCH 4/4] CB-7974 Cancel timeout timer if view is destroyed --- framework/src/org/apache/cordova/CordovaWebView.java | 3 +++ 1 file changed, 3 insertions(+) diff --git a/framework/src/org/apache/cordova/CordovaWebView.java b/framework/src/org/apache/cordova/CordovaWebView.java index 0c62b769..4d01f586 100755 --- a/framework/src/org/apache/cordova/CordovaWebView.java +++ b/framework/src/org/apache/cordova/CordovaWebView.java @@ -783,6 +783,9 @@ public class CordovaWebView extends WebView { public void handleDestroy() { + // Cancel pending timeout timer. + loadUrlTimeout++; + // Send destroy event to JavaScript this.loadUrl("javascript:try{cordova.require('cordova/channel').onDestroy.fire();}catch(e){console.log('exception firing destroy event from native');};");