|
|
Subscribe / Log in / New account

shotwell: validate TLS certificates

Package(s):shotwell CVE #(s):
Created:January 13, 2016 Updated:March 22, 2016
Description: From the GNOME bugzilla:

Seems Shotwell logs into Facebook, etc. without validating TLS certificates.

Since you use WebKit1 you're responsible not just for all security bugs since security updates ended a year ago, but also for validating TLS certificates on the SoupSession used by your WebKitWebView, before sending any HTTP headers. I've never done this before, but I think the right way is to connect to WebKitWebView:resource-request-starting, grab the WebKitNetworkRequest, get the SoupMessage property from it, then connect to notify::tls-errors and cancel the message immediately in the signal handler (not sure how to do that). I think you also have to somehow tell libsoup to check for TLS errors in the first place; should be easy if you can find a way to get the SoupSession from WebKit.

Alerts:
Fedora FEDORA-2016-191ff70357 shotwell 2016-01-13
Fedora FEDORA-2016-902a2b18d8 shotwell 2016-01-13
openSUSE openSUSE-SU-2016:0845-1 shotwell 2016-03-21
openSUSE openSUSE-SU-2016:0844-1 shotwell 2016-03-21
Mageia MGASA-2016-0111 shotwell 2016-03-16
to post comments


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds