canmove, Confirmed users
1,220
edits
Security/Reviews/Gaia/wallpaper: Difference between revisions
Jump to navigation
Jump to search
no edit summary
Ptheriault (talk | contribs) (Created page with "=== App Review Details === * App: * Review Date: * Review Lead: === Overview === ===Architecture=== ====Components==== ====Relevant Source Code==== ====Permissions==...") |
Ptheriault (talk | contribs) No edit summary |
||
| Line 1: | Line 1: | ||
=== App Review Details === | === App Review Details === | ||
* App: | * App: Wallpaper | ||
* Review Date: | * Review Date:17 August 2013 | ||
* | * Latest Commit: https://github.com/mozilla-b2g/gaia/commit/7ad27224ad51d05cb06ac82d02e4e54dbb82ee27 | ||
* Branch Reviewed: Master | |||
=== Overview === | === Overview === | ||
The homescreen background image is configured via the wallpaper setting. | |||
It can be accessed via the "Display" menu in the settings. It allows you to change the image | |||
displayed as a wallpaper by browsing in a list of pictures (wallpaper library). | |||
The Wallpaper app basically only register two activities: 'pick' and 'share'. | |||
The 'pick' Activity allows to select a picture 320*480 from the wallpaper library. It generates a list of pictures from which can be chosen | |||
one which will be the return value. It is used in the homescreen and the settings apps. | |||
The list of available pictures is located at apps/wallpaper/resources/320x480/. | |||
But you can pick a picture from another source: the 'share' Activity allows an app to share an image (type image/*) to be used as wallpaper by setting 'wallpaper.image'. | |||
It is used in the gallery app for instance. | |||
The wallpaper setting can be accessed from other apps, but it doesn't involved the activities defined in the Wallpaper app. | |||
For instance, apps/system/js/bootstrap.js defines the default background to use for all homescreens, or apps/communications/dialer/js/call_screen.js | |||
sets the caller contact image in place of the wallpaper. | |||
=== Architecture === | |||
As described above. | |||
==== Components ==== | |||
As described above. | |||
==== Relevant Source Code ==== | |||
Source code can be found at https://github.com/mozilla-b2g/gaia/tree/master/apps/wallpaper | |||
Application code: | |||
* pick.html - The UI for the 'pick' Activity | |||
* share.html - The UI for the 'share' Activity | |||
* js/pick.js - The code for handling the 'pick' Activity | |||
* js/share.js - The code for handling the 'share' Activity | |||
Shared code: | |||
* shared/js/gesture_detector.js | |||
* shared/js/l10n.js | |||
==== | ==== Permissions ==== | ||
The application has the following permissions: | |||
* "settings":{ "access": "readwrite" } - The 'share' activity sets the wallpaper setting. | |||
====Web Activity | ==== Web Activity Handlers ==== | ||
The application makes the following activities available to other apps: | |||
* pick - To allow to select a picture from the wallpaper library located in resources/320x480/. It expects an image of 320x480 format. | |||
The return value is a list filetype/blob/filename for the selected item. | |||
* share - To set a picture as wallpaper from a third party app. It directly sets the wallpaper setting with the provided picture, so it doesn't return anything except the string "shared" if success. | |||
==== Web Activity Usage ==== | |||
* pick - Gets the wallpapers library resources by an XHR request to 'resources/320x480/list.json'. | |||
==== Notable Event Handlers ==== | ==== Notable Event Handlers ==== | ||
=== Code Review Notes === | |||
=== | ==== 1. XSS & HTML Injection attacks ==== | ||
It is possible to manually add a picture in apps/wallpaper/resources/320x480/ and add the filename in list.json. | |||
The content of list.json is used in pick.js to select a picture as a wallpaper, but it is not checked against bad input. | |||
Each filename is then used in a concatenation to build a CSS property via url(). This can possibly lead to code injection. | |||
==== 2. Secure Communications ==== | |||
No communication with any external services. | |||
==== 3. (Secure) data storage ==== | |||
Pictures are stored in wallpaper/resources or linked via the app sharing the picture (e.g.: gallery). | |||
==== 4. Denial of Service ==== | |||
As the app doesn't check for the size of the images it is provided with, a possible DOS attack could be | |||
to provide extreme large images. | |||
==== 5. Use of Privileged APIs ==== | |||
* Settings: used to modify the wallpaper image setting. | |||
==== 6. Interfaces with other Apps/Content ==== | |||
=== Security Risks & Mitigating Controls === | === Security Risks & Mitigating Controls === | ||
=== Actions & Recommendations === | |||
Regarding code injection, the following bug was filed: | |||
* {{bug|906065}} Data from list.json in Wallpaper is untrusted | |||