search

facebook / react-native

A framework for building native applications using React
https://reactnative.dev
MIT License
119.58k stars 24.37k forks source link

Path Traversal Vulnerability #17752

Closed msand closed 6 years ago

msand commented 6 years ago

Is this a bug report?

Yes, Path Traversal Vulnerability Facebook SDK for Android Changelog 4.x

Have you read the Contributing Guidelines?

Yes

Environment

Any

Steps to Reproduce

Beginning January 16th, 2018, Google Play will block publishing of any new apps or updates which contain the Path traversal Vulnerability. Your published APK version will remain unaffected, however any updates to the app will be blocked unless you address this vulnerability.

Expected Behavior

App can be published.

Actual Behavior

App is blocked.

Reproducible Demo

https://github.com/facebook/react-native-fbsdk/tree/0.6.3/sample/HelloFacebook

Fix PR

Upgrade versions: https://github.com/facebook/react-native/pull/17747 Update docs: https://github.com/facebook/react-native-website/pull/156

react-native-bot commented 6 years ago

Thanks for posting this! It looks like you may not be using the latest version of React Native, v0.53.0, released on January 2018. Can you make sure this issue can still be reproduced in the latest version?

I am going to close this, but please feel free to open a new issue if you are able to confirm that this is still a problem in v0.53.0 or newer.

How to ContributeWhat to Expect from Maintainers

salmanwaheed commented 6 years ago

This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its recipients. This is a temporary error. The following address(es) deferred:

mkdirenv@gmail.com Domain salmanwaheed.info has exceeded the max emails per hour (166/150 (110%)) allowed. Message will be reattempted later

------- This is a copy of the message, including all the headers. ------ Received: from github-smtp2-ext2.iad.github.net ([192.30.252.193]:51328 helo=github-smtp2b-ext-cp1-prd.iad.github.net) by box1177.bluehost.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.89_1) (envelope-from noreply@github.com) id 1epQVF-003J6h-HE for hello@salmanwaheed.info; Fri, 23 Feb 2018 20:28:01 -0700 Date: Fri, 23 Feb 2018 19:22:52 -0800 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=github.com; s=pf2014; t=1519442866; bh=innYXZaEw/4NVI+R8WkCYBSkohy+pT3c6bwRZzuse+E=; h=From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=GiPtj4ahCZmZ7221qgYtkIY7GaRBsK0tx1DEwbnIBlPs/PbtGc/8Z4uuOILBjOsPv 7nuTWd7SEialSsZtOOloNwAssTtU6t14y6fx8qltTpk8bACMMDqd7++FkKPJknwviz jQqdZAT57oJcKmpltBq0WZkIEfEPQsbCP8dzu5T0= From: React Native Bot notifications@github.com Reply-To: facebook/react-native reply@reply.github.com To: facebook/react-native react-native@noreply.github.com Cc: Subscribed subscribed@noreply.github.com Message-ID: facebook/react-native/issue/17752/issue_event/1490267706@github.com In-Reply-To: facebook/react-native/issues/17752@github.com References: facebook/react-native/issues/17752@github.com Subject: Re: [facebook/react-native] Path Traversal Vulnerability (#17752) Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="--==_mimepart_5a90da8ca471a_426e2ab0468a6ecc318690"; charset=UTF-8 Content-Transfer-Encoding: 7bit Precedence: list X-GitHub-Sender: react-native-bot X-GitHub-Recipient: salmanwaheed X-GitHub-Reason: subscribed List-ID: facebook/react-native List-Archive: https://github.com/facebook/react-native List-Post: mailto:reply@reply.github.com List-Unsubscribe: mailto:unsub+00ef1b385ab1c80b5a1ea0856b66a4f42a16e8e63d38489592cf0000000116a89c8c92a169ce1165a347@reply.github.com, https://github.com/notifications/unsubscribe/AO8bOPAlWZSd_hNwdqrLlBEcxw01ojdPks5tX4CMgaJpZM4RuLgO X-Auto-Response-Suppress: All X-GitHub-Recipient-Address: hello@salmanwaheed.info X-Spam-Status: No, score=0.8 X-Spam-Score: 8 X-Spam-Bar: / X-Ham-Report: Spam detection software, running on the system "box1177.bluehost.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see root\@localhost for details.

Content preview: Closed #17752. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/facebook/react-native/issues/17752#event-1490267706 [...]

Content analysis details: (0.8 points, 5.0 required)

pts rule name description

0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: github.com] -0.5 SPF_PASS SPF: sender matches SPF record 1.3 HTML_IMAGE_ONLY_24 BODY: HTML: images with 2000-2400 bytes of words 0.0 HTML_MESSAGE BODY: HTML included in message 2.5 DCC_CHECK No description available. -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -2.3 AWL AWL: Adjusted score from AWL reputation of From: address X-Spam-Flag: NO

----==_mimepart_5a90da8ca471a_426e2ab0468a6ecc318690 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit

Closed #17752.

-- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/facebook/react-native/issues/17752#event-1490267706 ----==_mimepart_5a90da8ca471a_426e2ab0468a6ecc318690 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: 7bit

Closed #17752.


You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or mute the thread.

----==_mimepart_5a90da8ca471a_426e2ab0468a6ecc318690--