On 09/28/2015 01:41 PM, Seth Arnold wrote: > Oliver, except it's not a phone, it's a converged computing device; I > use file:/// browsing in my desktop and expect to be able to do the same > when I replace my desktop with my phone, monitor, keyboard, and mouse. > > John, I agree that the long run should definitely include an AppArmor > profile on the browser and use content hub when trying to browse outside > of that. I just wanted to make the case that blocking file:/// access > isn't the best way forward, and trying to implement a piece-meal > security policy via UI modifications is building technical debt that's > better left unsolved rather than handled poorly. Thanks for forcing a > clarification. > Oh I agree this has to be treated as a hybrid device, not just a phone. The point I am trying to make is that even just temporarily blocking file:// via the ui does not address the problem.
The browser still has file access and any vulnerability can take advantage of it. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to webbrowser-app in Ubuntu. https://bugs.launchpad.net/bugs/1393515 Title: browser allows browsing the phone filesystem Status in webbrowser-app package in Ubuntu: Confirmed Status in webbrowser-app package in Ubuntu RTM: Confirmed Bug description: Using a URL like: file:/// gets you to the root of the phone filesystem ... i assume this is not actually desired since we even block the filemanager app to go higher up then $HOME without requiring a password. The webbrowser-app should either: * behave like the file-manager (see bug #1347010 for details) * file:/// should be disabled altogether on the phone * webbrowser-app should run confined which would force the use of content-hub by limiting file:/// access to those paths allowed by policy To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/webbrowser-app/+bug/1393515/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : [email protected] Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
