klukvaboy / opensudoku-android

Automatically exported from code.google.com/p/opensudoku-android
0 stars 0 forks source link

Invalid explicit intent makes the application access protected resources in SdmImportTask class #170

Open GoogleCodeExporter opened 8 years ago

GoogleCodeExporter commented 8 years ago
Opensudoku version 1.1.5

Explicit intent that violates intent filter for activity FileImportActivity 
makes the application access the network in SdmImportTask class while 
attempting to get a .opensudoku file from a remote location.
Intent should be rejected before potentially causing security issues.

Violating intent is:
intent://192.168.39.169/android/nmjC.opensudoku;
scheme=http;
action=android.intent.action.SYNC;
category=android.intent.category.DEFAULT;
while action in the filter is defined as:
<action android:name="android.intent.action.VIEW"></action>

A JUnit test case to reproduce the scenario is attached

Original issue reported on code.google.com by andrea....@gmail.com on 31 Jan 2013 at 5:21

GoogleCodeExporter commented 8 years ago
[deleted comment]
GoogleCodeExporter commented 8 years ago
Errata Corrige
Violating intent is:
intent://192.168.39.169/android/BSrH.sdm
scheme=https;
action=android.intent.action.VIEW;
category=android.intent.category.BROWSABLE;
while data scheme in the filter is defined as:
<data android:scheme="file" android:host="*"  android:pathPattern=".*\\.sdm" />
<data android:scheme="http" android:host="*"  android:pathPattern=".*\\.sdm" />
for .sdm files

Original comment by andrea....@gmail.com on 31 Jan 2013 at 5:32

Attachments:

GoogleCodeExporter commented 8 years ago

Original comment by romario...@gmail.com on 10 Feb 2013 at 7:28