[jira] [Commented] (CB-7183) Prevent plugins from modifying files outside of the project
[ https://issues.apache.org/jira/browse/CB-7183?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15067193#comment-15067193 ] ASF GitHub Bot commented on CB-7183: Github user asfgit closed the pull request at: https://github.com/apache/cordova-lib/pull/355 > Prevent plugins from modifying files outside of the project > --- > > Key: CB-7183 > URL: https://issues.apache.org/jira/browse/CB-7183 > Project: Apache Cordova > Issue Type: Bug > Components: CordovaLib >Reporter: Andrew Grieve >Assignee: Byoungro So > Labels: cordova-6.0.0 > > Right now this is possible: > {code} > target-dir="../../../../../hooks/pre_package"/> > {code} > We should ensure that plugins are not able to touch files outside of the > project directory! -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: issues-unsubscr...@cordova.apache.org For additional commands, e-mail: issues-h...@cordova.apache.org
[jira] [Commented] (CB-7183) Prevent plugins from modifying files outside of the project
[ https://issues.apache.org/jira/browse/CB-7183?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15067191#comment-15067191 ] ASF subversion and git services commented on CB-7183: - Commit 5eb351e08eb9b2c7c685b7c06a4fc50316bcce02 in cordova-lib's branch refs/heads/master from [~bso] [ https://git-wip-us.apache.org/repos/asf?p=cordova-lib.git;h=5eb351e ] CB-7183 prevent read/write/modify files outside project from plugins This closes #355 > Prevent plugins from modifying files outside of the project > --- > > Key: CB-7183 > URL: https://issues.apache.org/jira/browse/CB-7183 > Project: Apache Cordova > Issue Type: Bug > Components: CordovaLib >Reporter: Andrew Grieve >Assignee: Byoungro So > Labels: cordova-6.0.0 > > Right now this is possible: > {code} > target-dir="../../../../../hooks/pre_package"/> > {code} > We should ensure that plugins are not able to touch files outside of the > project directory! -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: issues-unsubscr...@cordova.apache.org For additional commands, e-mail: issues-h...@cordova.apache.org
[jira] [Commented] (CB-7183) Prevent plugins from modifying files outside of the project
[ https://issues.apache.org/jira/browse/CB-7183?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15063142#comment-15063142 ] ASF GitHub Bot commented on CB-7183: Github user bso-intel commented on the pull request: https://github.com/apache/cordova-lib/pull/355#issuecomment-165621005 Hi Shazron, Could you review this CB-7183? As we discussed we need some security check for plugins accessing outside the plugins directory. Please pull if it looks okay. Thanks. > Prevent plugins from modifying files outside of the project > --- > > Key: CB-7183 > URL: https://issues.apache.org/jira/browse/CB-7183 > Project: Apache Cordova > Issue Type: Bug > Components: CordovaLib >Reporter: Andrew Grieve >Assignee: Byoungro So > Labels: cordova-6.0.0 > > Right now this is possible: > {code} > target-dir="../../../../../hooks/pre_package"/> > {code} > We should ensure that plugins are not able to touch files outside of the > project directory! -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: issues-unsubscr...@cordova.apache.org For additional commands, e-mail: issues-h...@cordova.apache.org
[jira] [Commented] (CB-7183) Prevent plugins from modifying files outside of the project
[ https://issues.apache.org/jira/browse/CB-7183?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15054075#comment-15054075 ] ASF GitHub Bot commented on CB-7183: GitHub user bso-intel opened a pull request: https://github.com/apache/cordova-lib/pull/355 Cb 7183 CB-7183 security check for the scriptSrc property of the engine tag. The other src and target-dir path escape checks are already implemented in cordova-lib/src/plugman/platforms/common.js/copyFile() function. The only missing security check is in the scriptSrc of the tag. You can merge this pull request into a Git repository by running: $ git pull https://github.com/bso-intel/cordova-lib CB-7183 Alternatively you can review and apply these changes as the patch at: https://github.com/apache/cordova-lib/pull/355.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #355 commit 5fd5d275cd13ebe9eb3b7c86b71988cdcdfa4cf8 Author: Byoungro SoDate: 2015-12-10T03:43:46Z CB-7183 prevent read/write/modify files outside project from plugins commit c03534aafc218923327ae7921eb75669927625d4 Author: Byoungro So Date: 2015-12-12T05:48:03Z CB-7183 security check for engine scriptSrc tag > Prevent plugins from modifying files outside of the project > --- > > Key: CB-7183 > URL: https://issues.apache.org/jira/browse/CB-7183 > Project: Apache Cordova > Issue Type: Bug > Components: CordovaLib >Reporter: Andrew Grieve >Assignee: Byoungro So > > Right now this is possible: > {code} > target-dir="../../../../../hooks/pre_package"/> > {code} > We should ensure that plugins are not able to touch files outside of the > project directory! -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: issues-unsubscr...@cordova.apache.org For additional commands, e-mail: issues-h...@cordova.apache.org
[jira] [Commented] (CB-7183) Prevent plugins from modifying files outside of the project
[ https://issues.apache.org/jira/browse/CB-7183?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15049722#comment-15049722 ] Shazron Abdullah commented on CB-7183: -- I believe this was discussed in the mailing list but somehow rejected > Prevent plugins from modifying files outside of the project > --- > > Key: CB-7183 > URL: https://issues.apache.org/jira/browse/CB-7183 > Project: Apache Cordova > Issue Type: Bug > Components: CordovaLib >Reporter: Andrew Grieve >Assignee: Byoungro So > > Right now this is possible: > {code} > target-dir="../../../../../hooks/pre_package"/> > {code} > We should ensure that plugins are not able to touch files outside of the > project directory! -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: issues-unsubscr...@cordova.apache.org For additional commands, e-mail: issues-h...@cordova.apache.org
[jira] [Commented] (CB-7183) Prevent plugins from modifying files outside of the project
[ https://issues.apache.org/jira/browse/CB-7183?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15049737#comment-15049737 ] Shazron Abdullah commented on CB-7183: -- No, things change all the time, I think a fresh perspective could change other's minds. This is where we discussed it, but in the context of hooks: http://markmail.org/message/ikovjpm2akal4zic Now that I read that thread again, I think it's a different situation though > Prevent plugins from modifying files outside of the project > --- > > Key: CB-7183 > URL: https://issues.apache.org/jira/browse/CB-7183 > Project: Apache Cordova > Issue Type: Bug > Components: CordovaLib >Reporter: Andrew Grieve >Assignee: Byoungro So > > Right now this is possible: > {code} > target-dir="../../../../../hooks/pre_package"/> > {code} > We should ensure that plugins are not able to touch files outside of the > project directory! -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: issues-unsubscr...@cordova.apache.org For additional commands, e-mail: issues-h...@cordova.apache.org
[jira] [Commented] (CB-7183) Prevent plugins from modifying files outside of the project
[ https://issues.apache.org/jira/browse/CB-7183?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15049733#comment-15049733 ] Byoungro So commented on CB-7183: - Hi Shazron, Do you mean this issue won't get accepted? In the XDK, we disallow plugins from reading/modifying any files outside the project for security reasons. It is not only the element. I am planning to make security checks in other elements too. Any reason why we do not need these security checks? Thanks. > Prevent plugins from modifying files outside of the project > --- > > Key: CB-7183 > URL: https://issues.apache.org/jira/browse/CB-7183 > Project: Apache Cordova > Issue Type: Bug > Components: CordovaLib >Reporter: Andrew Grieve >Assignee: Byoungro So > > Right now this is possible: > {code} > target-dir="../../../../../hooks/pre_package"/> > {code} > We should ensure that plugins are not able to touch files outside of the > project directory! -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: issues-unsubscr...@cordova.apache.org For additional commands, e-mail: issues-h...@cordova.apache.org