Skip to content

Drop allowFileAccessFromFileURLs and allowUniversalAccessFromFileURLs in VectorWebViewActivity and WidgetWebView #9145

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
jim-daf wants to merge 1 commit into
base: develop
Choose a base branch
from
+14 −8
Open

Drop allowFileAccessFromFileURLs and allowUniversalAccessFromFileURLs in VectorWebViewActivity and WidgetWebView #9145

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions changelog.d/9144.bugfix
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Drop allowFileAccessFromFileURLs and allowUniversalAccessFromFileURLs in VectorWebViewActivity and WidgetWebView. Both call sites only load http/https URLs, so the flags are not load-bearing and are CWE-200 sandbox-escape vectors when left on.
12 changes: 8 additions & 4 deletions vector/src/main/java/im/vector/app/features/webview/VectorWebViewActivity.kt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -55,10 +55,14 @@ class VectorWebViewActivity : VectorBaseActivity<ActivityVectorWebViewBinding>()
// Allow use of Local Storage
domStorageEnabled = true

@Suppress("DEPRECATION")
allowFileAccessFromFileURLs = true
@Suppress("DEPRECATION")
allowUniversalAccessFromFileURLs = true
// allowFileAccessFromFileURLs and allowUniversalAccessFromFileURLs
// only take effect when the main frame is a file:// URL. This
// Activity is launched with EXTRA_URL set to an http/https URL
// (identity-server terms pages, SSO fallback, etc.), so neither
// flag is load-bearing here, and
// allowUniversalAccessFromFileURLs in particular is a
// CWE-200 sandbox-escape vector if a file:// load ever lands
// in this Activity.

displayZoomControls = false
}
Expand Down
9 changes: 5 additions & 4 deletions vector/src/main/java/im/vector/app/features/widgets/webview/WidgetWebView.kt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,10 +42,11 @@ fun WebView.setupForWidget(activity: Activity,
// Allow use of Local Storage
settings.domStorageEnabled = true

@Suppress("DEPRECATION")
settings.allowFileAccessFromFileURLs = true
@Suppress("DEPRECATION")
settings.allowUniversalAccessFromFileURLs = true
// allowFileAccessFromFileURLs and allowUniversalAccessFromFileURLs
// only take effect when the main frame is a file:// URL. Widgets are
// always served from an https widget URL, so neither flag is
// load-bearing here, and allowUniversalAccessFromFileURLs in
// particular is a CWE-200 sandbox-escape vector.

settings.displayZoomControls = false

Expand Down