Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(android): Add mitigation strategy for CVE-2020-6506 #792

Merged
merged 1 commit into from
Nov 17, 2020

Conversation

carlpoole
Copy link
Contributor

@carlpoole carlpoole commented Oct 7, 2020

Platforms affected

Android

Motivation and Context

These changes mitigate the security vulnerability (CVE-2020-6506) recently found in Chromium that affects the Android WebView prior to version 83.0.4103.106.

See: https://cordova.apache.org/news/2020/09/29/cve-2020-6506.html
See: https://alesandroortiz.com/articles/uxss-android-webview-cve-2020-6506/
See: https://bugs.chromium.org/p/chromium/issues/detail?id=1083819

Description

This mitigation strategy works by enabling the flag to handle multiple windows in the InAppBrowser plugin. When a new window event occurs, the plugin attempts to load the target in a temporary WebView. If the URL is clean it will be passed back to the original InAppBrowser WebView to mimic the original single-window behavior. This filters out Javascript (and thus any malicious code).

Testing

This mitigation was tested using proof-of-concept pages provided by the security researcher who discovered the vulnerability (Alesandro Ortiz) linked here: https://alesandroortiz.com/security/chromiumwebview/cve-2020-6506.html

Checklist

  • I've run the tests to see all new and existing tests pass
  • I added automated test coverage as appropriate for this change
  • Commit is prefixed with (platform) if this change only applies to one platform (e.g. (android))
  • If this Pull Request resolves an issue, I linked to the issue in the text above (and used the correct keyword to close issues using keywords)
  • I've updated the documentation if necessary

@NiklasMerz
Copy link
Member

Strangely my very old webview in the emulator throws an error without this mitigation and does not seem vulnerable. I'm not sure if I understand this correctly though.

grafik

@NiklasMerz NiklasMerz merged commit e1d0777 into apache:master Nov 17, 2020
jessyefuster pushed a commit to jessyefuster/cordova-plugin-inappbrowser that referenced this pull request Aug 17, 2023
…nk targets opening

Revert "fix(android): Add mitigation strategy for CVE-2020-6506 (apache#792)"

This reverts commit e1d0777.
jessyefuster pushed a commit to jessyefuster/cordova-plugin-inappbrowser that referenced this pull request Dec 17, 2024
…nk targets opening

Revert "fix(android): Add mitigation strategy for CVE-2020-6506 (apache#792)"

This reverts commit e1d0777.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants