Add prompt for untrusted SSL connection on web view

Fix Google Play Warning: SSL Error Handler Vulnerability (#174)
indication · Jun 19, 2016 · 3123d86 · 3123d86
1 parent 178f4f5
commit 3123d86
Show file tree

Hide file tree

Showing 8 changed files with 36 additions and 4 deletions.
diff --git a/OpenRedmine/src/main/java/jp/redmine/redmineclient/external/lib/MyWebViewClient.java b/OpenRedmine/src/main/java/jp/redmine/redmineclient/external/lib/MyWebViewClient.java
@@ -64,9 +64,28 @@ public boolean shouldOverrideUrlLoading( WebView view, String url ) {
 	}
 
 	@Override
-	public void onReceivedSslError( WebView view, SslErrorHandler handler, SslError error ) {
+	public void onReceivedSslError(WebView view, final SslErrorHandler handler, SslError error ) {
 		isSSLError = true;
-		handler.proceed();
+
+		final Builder dialog = new AlertDialog.Builder(mContext);
+		dialog.setTitle(R.string.menu_setting_unsafe_title)
+				.setView(view)
+				.setMessage(R.string.menu_setting_unsafe_confimation)
+				.setCancelable(false)
+				.setPositiveButton(view.getContext().getString(android.R.string.ok)
+						, new DialogInterface.OnClickListener() {
+							@Override
+							public void onClick(DialogInterface dialog, int which) {
+								handler.proceed();
+							}
+						})
+				.setNegativeButton(view.getContext().getString(android.R.string.cancel)
+						, new DialogInterface.OnClickListener() {
+							public void onClick(DialogInterface dialog, int whichButton) {
+								handler.cancel();
+							}
+						})
+				.create().show();
 	}
 
 	@Override
@@ -102,9 +121,9 @@ private void showHttpAuthDialog( final HttpAuthHandler handler, final String hos
 		final HttpAuthDialogForm form = new HttpAuthDialogForm(view);
 		form.setUserID(UserID);
 		form.setPassword(Password);
-		final Builder mHttpAuthDialog = new AlertDialog.Builder((Activity)mContext);
+		final Builder mHttpAuthDialog = new AlertDialog.Builder(mContext);
 
-		mHttpAuthDialog.setTitle(view.getContext().getString(R.string.menu_setting_check_auth))
+		mHttpAuthDialog.setTitle(R.string.menu_setting_check_auth)
 			.setView(view)
 			.setCancelable(false)
 			.setPositiveButton(view.getContext().getString(android.R.string.ok)

diff --git a/OpenRedmine/src/main/res/raw/version.md b/OpenRedmine/src/main/res/raw/version.md
@@ -12,6 +12,7 @@ Next Release
 - Changed connection method to android default (Remove org.apache.http.legacy)
 - Fix crash on update issue/time entry
 - Fix remove cookies when access via webclient (#180)
+- Fix Google Play Warning: SSL Error Handler Vulnerability (#174)
 
 v3.18 - 51 - 2016/01/31
 ===========

diff --git a/OpenRedmine/src/main/res/values-de/strings.xml b/OpenRedmine/src/main/res/values-de/strings.xml
@@ -28,6 +28,8 @@
   <string name="preference_category_appearance">Aussehen</string>
   <string name="preference_category_appearance_themes">Theme</string>
   <string name="menu_refresh">Aktualisierungsliste</string>
+  <string name="menu_setting_unsafe_title">Unsafe SSL site</string>
+  <string name="menu_setting_unsafe_confimation">Connect to unsafe SSL site</string>
   <string name="menu_setting_permit_unsafe">Erlaube unsichere SSL Verbindung</string>
   <string name="menu_setting_label_certkey">Zertifikatdatei (Optional)</string>
   <string name="menu_setting_message_certkey">HINWEIS: Wenn Sie einen MD5 Zertifikatswert eingeben, überprüfen Sie, dass dieser den gleichen Fingerabdruck hat.</string>

diff --git a/OpenRedmine/src/main/res/values-ja/strings.xml b/OpenRedmine/src/main/res/values-ja/strings.xml
@@ -28,6 +28,8 @@
   <string name="preference_category_appearance">表示</string>
   <string name="preference_category_appearance_themes">テーマ</string>
   <string name="menu_refresh">更新</string>
+  <string name="menu_setting_unsafe_title">Unsafe SSL site</string>
+  <string name="menu_setting_unsafe_confimation">Connect to unsafe SSL site</string>
   <string name="menu_setting_permit_unsafe">信頼できないSSL接続を許可する</string>
   <string name="menu_setting_label_certkey">証明書キー (オプション)</string>
   <string name="menu_setting_message_certkey">メモ: 証明書のMD5キーを入力した場合、証明書が同じであるか検証します</string>

diff --git a/OpenRedmine/src/main/res/values-pt-rBR/strings.xml b/OpenRedmine/src/main/res/values-pt-rBR/strings.xml
@@ -28,6 +28,8 @@
   <string name="preference_category_appearance">Aparência</string>
   <string name="preference_category_appearance_themes">Tema</string>
   <string name="menu_refresh">Atualizar lista</string>
+  <string name="menu_setting_unsafe_title">Unsafe SSL site</string>
+  <string name="menu_setting_unsafe_confimation">Connect to unsafe SSL site</string>
   <string name="menu_setting_permit_unsafe">Permitir conexão através de SSL não seguro</string>
   <string name="menu_setting_label_certkey">Chave de certificação (Opcional)</string>
   <string name="menu_setting_message_certkey">NOTA: Caso você informe uma chave de certificação MD5, a certificação de validade é a mesma chave.</string>

diff --git a/OpenRedmine/src/main/res/values-ru/strings.xml b/OpenRedmine/src/main/res/values-ru/strings.xml
@@ -28,6 +28,8 @@
   <string name="preference_category_appearance">Оформление</string>
   <string name="preference_category_appearance_themes">Тема</string>
   <string name="menu_refresh">Обновить список</string>
+  <string name="menu_setting_unsafe_title">Unsafe SSL site</string>
+  <string name="menu_setting_unsafe_confimation">Connect to unsafe SSL site</string>
   <string name="menu_setting_permit_unsafe">Разрешить небезопасное SSL-соединение</string>
   <string name="menu_setting_label_certkey">Ключ сертификации (необязательно)</string>
   <string name="menu_setting_message_certkey">ВНИМАНИЕ: При вводе сертификации ключ MD5, проверки сертификация же отпечатков пальцев.</string>

diff --git a/OpenRedmine/src/main/res/values-zh/strings.xml b/OpenRedmine/src/main/res/values-zh/strings.xml
@@ -28,6 +28,8 @@
   <string name="preference_category_appearance">外观</string>
   <string name="preference_category_appearance_themes">主题</string>
   <string name="menu_refresh">刷新列表</string>
+  <string name="menu_setting_unsafe_title">Unsafe SSL site</string>
+  <string name="menu_setting_unsafe_confimation">Connect to unsafe SSL site</string>
   <string name="menu_setting_permit_unsafe">允许不安全的SSL连接</string>
   <string name="menu_setting_label_certkey">认证密钥（可选）</string>
   <string name="menu_setting_message_certkey">NOTE: 如果你使用 MD5 认证, 验证认证同指纹.</string>

diff --git a/OpenRedmine/src/main/res/values/strings.xml b/OpenRedmine/src/main/res/values/strings.xml
@@ -28,6 +28,8 @@
 	<string name="preference_category_appearance">Appearance</string>
 	<string name="preference_category_appearance_themes">Theme</string>
 	<string name="menu_refresh">Refresh list</string>
+	<string name="menu_setting_unsafe_title">Unsafe SSL site</string>
+	<string name="menu_setting_unsafe_confimation">Connect to unsafe SSL site</string>
 	<string name="menu_setting_permit_unsafe">Permit unsafe SSL connection</string>
 	<string name="menu_setting_label_certkey">Certification key (Optional)</string>
 	<string name="menu_setting_message_certkey">NOTE: If you input certification MD5 key, validate certification is same fingerprint.</string>