Security/Reviews/Gaia/wallpaper
Contents
App Review Details
- App: Wallpaper
- Review Date:17 August 2013
- Latest Commit: https://github.com/mozilla-b2g/gaia/commit/7ad27224ad51d05cb06ac82d02e4e54dbb82ee27
- Branch Reviewed: Master
- Review Lead: Stéphanie Ouillon
Overview
The homescreen background image is configured via the wallpaper setting. It can be accessed via the "Display" menu in the settings. It allows you to change the image displayed as a wallpaper by browsing in a list of pictures (wallpaper library).
The Wallpaper app basically only register two activities: 'pick' and 'share'. The 'pick' Activity allows to select a picture 320*480 from the wallpaper library. It generates a list of pictures from which can be chosen one which will be the return value. It is used in the homescreen and the settings apps.
The list of available pictures is located at apps/wallpaper/resources/320x480/. But you can pick a picture from another source: the 'share' Activity allows an app to share an image (type image/*) to be used as wallpaper by setting 'wallpaper.image'. It is used in the gallery app for instance.
The wallpaper setting can be accessed from other apps, but it doesn't involved the activities defined in the Wallpaper app. For instance, apps/system/js/bootstrap.js defines the default background to use for all homescreens, or apps/communications/dialer/js/call_screen.js sets the caller contact image in place of the wallpaper.
Architecture
As described above.
Components
As described above.
Relevant Source Code
Source code can be found at https://github.com/mozilla-b2g/gaia/tree/master/apps/wallpaper
Application code:
- pick.html - The UI for the 'pick' Activity
- share.html - The UI for the 'share' Activity
- js/pick.js - The code for handling the 'pick' Activity
- js/share.js - The code for handling the 'share' Activity
Shared code:
- shared/js/gesture_detector.js
- shared/js/l10n.js
Permissions
The application has the following permissions:
- "settings":{ "access": "readwrite" } - The 'share' activity sets the wallpaper setting.
Web Activity Handlers
The application makes the following activities available to other apps:
- pick - To allow to select a picture from the wallpaper library located in resources/320x480/. It expects an image of 320x480 format.
The return value is a list filetype/blob/filename for the selected item.
- share - To set a picture as wallpaper from a third party app. It directly sets the wallpaper setting with the provided picture, so it doesn't return anything except the string "shared" if success.
Web Activity Usage
- pick - Gets the wallpapers library resources by an XHR request to 'resources/320x480/list.json'.
Notable Event Handlers
Code Review Notes
1. XSS & HTML Injection attacks
It is possible to manually add a picture in apps/wallpaper/resources/320x480/ and add the filename in list.json. The content of list.json is used in pick.js to select a picture as a wallpaper, but it is not checked against bad input. Each filename is then used in a concatenation to build a CSS property via url(). This can possibly lead to code injection.
2. Secure Communications
No communication with any external services.
3. (Secure) data storage
Pictures are stored in wallpaper/resources or linked via the app sharing the picture (e.g.: gallery).
4. Denial of Service
As the app doesn't check for the size of the images it is provided with, a possible DOS attack could be to provide extreme large images.
5. Use of Privileged APIs
- Settings: used to modify the wallpaper image setting.
6. Interfaces with other Apps/Content
Security Risks & Mitigating Controls
Actions & Recommendations
Regarding code injection, the following bug was filed:
- bug 906065 Data from list.json in Wallpaper is untrusted
