[Touch-packages] [Bug 1197056] Re: SDK and cordova webview applications should not use ~/.local/share/*/.QtWebKit/ for their databases

[Jamie Strandboge]

Marking cordova-ubuntu as 'Fix Released' based on status of bug
#1217439.

** Changed in: cordova-ubuntu (Ubuntu)
       Status: Confirmed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor-easyprof-ubuntu
in Ubuntu.
https://bugs.launchpad.net/bugs/1197056

Title:
  SDK and cordova webview applications should not use
  ~/.local/share/*/.QtWebKit/ for their databases

Status in Cordova Ubuntu:
  Fix Released
Status in Ubuntu UI SDK for HTML5 Apps:
  Fix Released
Status in Ubuntu UI Toolkit:
  Fix Released
Status in apparmor-easyprof-ubuntu package in Ubuntu:
  Fix Released
Status in cordova-ubuntu package in Ubuntu:
  Fix Released
Status in ubuntu-html5-theme package in Ubuntu:
  Fix Released
Status in ubuntu-ui-toolkit package in Ubuntu:
  Fix Released
Status in apparmor-easyprof-ubuntu source package in Saucy:
  Fix Released
Status in ubuntu-ui-toolkit source package in Saucy:
  Fix Released
Status in apparmor-easyprof-ubuntu source package in Trusty:
  Fix Released
Status in cordova-ubuntu source package in Trusty:
  Won't Fix
Status in ubuntu-html5-theme source package in Trusty:
  Fix Released
Status in ubuntu-ui-toolkit source package in Trusty:
  Fix Released

Bug description:
  Ubuntu SDK applications that use webkit webviews store webkit databases in 
places like this:
  ~/.local/share/Qt Project/QtQmlViewer/.QtWebKit/WebpageIcons.db
  ~/.local/share/Qt Project/QtQmlViewer/.QtWebKit/cookies.db

  This results in AppArmor rules like the following:
  owner "@{HOME}/.local/share/Qt Project/QtQmlViewer/.QtWebKit/WebpageIcons.db" 
rwk,
  owner "@{HOME}/.local/share/Qt Project/QtQmlViewer/.QtWebKit/cookies.db" rwk,

  But these rules are too lenient because this could disclose data to a
  malicious app and a malicious app could poison the databases.
  Therefore, these paths need to be made application specific.
  Specifically webbrowser-app should be adjusted to use
  $XDG_DATA_HOME/<app_pkgname> for webapps, where '<app_pkgname>' is the
  "name" field in the Click manifest (see bug #1197037 for details).

  The same bug affects cordova-ubuntu, but writes are to 
@{HOME}/.local/share/cordova-ubuntu-2.8/.QtWebKit resulting in these 
too-lenient rules:
    owner "@{HOME}/.local/share/cordova-ubuntu*/.QtWebKit/WebpageIcons.db" rwk,
    owner "@{HOME}/.local/share/cordova-ubuntu*/.QtWebKit/cookies.db" rwk,
    owner "@{HOME}/.local/share/cordova-ubuntu*/.QtWebKit/LocalStorage/"   r,
    owner "@{HOME}/.local/share/cordova-ubuntu*/.QtWebKit/LocalStorage/**" rwk,

To manage notifications about this bug go to:
https://bugs.launchpad.net/cordova-ubuntu/+bug/1197056/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp