Investigate usages of ZipFile or ZipInputStream in GV ar related to the path restrictions in Android 14
Categories
(Firefox for Android :: General, task, P1)
Tracking
()
People
(Reporter: mcarare, Assigned: jonalmeida)
References
Details
(Whiteboard: [foundation] [fxdroid])
For apps targeting Android 14, Android prevents the Zip Path Traversal Vulnerability in the following way:
ZipFile(String) and ZipInputStream.getNextEntry() throws a ZipException if zip file entry names contain ".." or start with "/".
Apps can opt-out from this validation by calling dalvik.system.ZipPathValidator.clearCallback().
|
||
Updated•2 years ago
|
|
||
Comment 1•2 years ago
|
||
The Android team has not been keeping our P1 bug list up to date, so we're resetting all our P1 bugs to P2 to avoid signalling that we're actively working on bugs that we're not. The BMO documentation https://wiki.mozilla.org/BMO/UserGuide/BugFields#priority says P1 means "fix in the current release cycle" and P2 means "fix in the next release cycle or the following (nightly + 1 or nightly + 2)".
If you are actively working on this bug and expect to ship it in Fx 122 or 123, then please restore the priority back to P1.
|
Assignee | |
Comment 2•2 years ago
•
|
||
Since we only have one place where we use ZipFile directly, we are always passing in a File to it which should resolve to a full path name. Even otherwise, that pathname is always a fully qualified one before we pass it to File.
Leaving this open for zmckenney or mcarare to validate before closing.
|
Reporter | |
Comment 3•2 years ago
|
||
I agree with the findings and the fact there is no further action needed.
We never use ZipFile(String), we only use ZipFile(File). And we never use ZipInputStream.getNextEntry()
|
|
Assignee | |
Updated•2 years ago
|
Description
•