Invalid explicit intent makes the application access protected resources in SdmImportTask class

Question

Invalid explicit intent makes the application access protected resources in SdmImportTask class

Opened this issue 9 years ago · 3 comments

GoogleCodeExporter commented 9 years ago

Opensudoku version 1.1.5

Explicit intent that violates intent filter for activity FileImportActivity 
makes the application access the network in SdmImportTask class while 
attempting to get a .opensudoku file from a remote location.
Intent should be rejected before potentially causing security issues.

Violating intent is:
intent://192.168.39.169/android/nmjC.opensudoku;
scheme=http;
action=android.intent.action.SYNC;
category=android.intent.category.DEFAULT;
while action in the filter is defined as:
<action android:name="android.intent.action.VIEW"></action>

A JUnit test case to reproduce the scenario is attached

Original issue reported on code.google.com by andrea....@gmail.com on 31 Jan 2013 at 5:21

Answer 1 · 2016-01-03T09:45:12.000Z

[deleted comment]

Answer 2 · 2016-01-03T09:45:12.000Z

Errata Corrige
Violating intent is:
intent://192.168.39.169/android/BSrH.sdm
scheme=https;
action=android.intent.action.VIEW;
category=android.intent.category.BROWSABLE;
while data scheme in the filter is defined as:
<data android:scheme="file" android:host="*"  android:pathPattern=".*\\.sdm" />
<data android:scheme="http" android:host="*"  android:pathPattern=".*\\.sdm" />
for .sdm files

Original comment by andrea....@gmail.com on 31 Jan 2013 at 5:32

Attachments:

FileImportActivityTest22.java

Answer 3 · 2016-01-03T09:45:12.000Z

Original comment by romario...@gmail.com on 10 Feb 2013 at 7:28

Changed state: Accepted