[Crosswalk-help] Commit [Android] Fix the potential vulnerability issue. (60026878e7d770412f2c8a6a6a0cedc261482b28)

Fri, 21 Oct 2016 06:16:08 -0700 

Hi All,
 
we have problem with the following commit:
=====================================================
Author:                               hengzhi.wu <[email protected]>
Author date:     4 months ago (4.7.2016 3:52:16)
Commit date:    4 months ago (4.7.2016 9:40:50)
Commit hash:   60026878e7d770412f2c8a6a6a0cedc261482b28
Parent(s):           873a672d83
 
[Android] Fix the potential vulnerability issue.
 
For SSL errors, if user allows it, native layer will keep the host and
the error num, the future communications with same host and error will
not trigger the onReceivedSslError callback. Even if the certificate is
invalid, all of requests will also be passed, its vulnerable for some
serious SSL error.
Especially with MITM, the sensitive messages will be stolen, e.g.
passwords, credit cards.
Deny the invalid requests for some serious SSL error to avoid this issue.
 
For keeping the host and error num, please refer to
https://codereview.chromium.org/794023002
We also have the same implementation.
 
BUG=XWALK-6986
====================================================
The commit introduces check
 
+        boolean shouldDeny = SslUtil.shouldDenyRequest(certError);
+        if (shouldDeny) {
+            Toast.makeText(mXWalkView.getContext(), 
R.string.ssl_error_deny_request,
+                    Toast.LENGTH_SHORT).show();
+            return false;
+        }
 
in 
runtime/android/core_internal/src/org/xwalk/core/internal/XWalkContentsClientBridge.java
 in 
 
private boolean allowCertificateError(int certError, byte[] derBytes, final 
String url, final int id)
 
which simply denies many ssl errors without calling
 
onReceivedSslError(org.xwalk.core.XWalkView view, 
android.webkit.ValueCallback<java.lang.Boolean> callback, 
android.net.http.SslError error)
 
so we cannot ignore the ssl errors in the debug version of our Android 
application and our developers cannot test the app against in-lab test web 
services having no valid certificate.
 
Is there a solution how to ignore ssl/cert errors in the debug version? before 
the commit it was very simple in XWalkResourceClient class:
 
@Override
public void onReceivedSslError(org.xwalk.core.XWalkView view, 
android.webkit.ValueCallback<java.lang.Boolean> callback, 
android.net.http.SslError error) {
                if (BuildConfig.DEBUG) {
                               callback.onReceiveValue(true);
                }
                else {
                               super.onReceivedSslError(view, callback, error);
                }
} 
 
Thank you for any help..
 
--
 Stanislav Kolář
 Senior Developer
 +420 377 338 901
 
 
 
 Get more done.
 www.samepage.io
_______________________________________________
Crosswalk-help mailing list
[email protected]
https://lists.crosswalk-project.org/mailman/listinfo/crosswalk-help

Reply via email to