InAppBrowser and File Transfer Plugins: Important security update

  • 1
  • Announcement
  • Updated 6 years ago
The core PhoneGap plugins were recently updated by the Cordova guys, and included important security updates for the InAppBrowser and File Transfer plugins. They are now available on PhoneGap Build, and should be updated in your app if you are explicitly setting the plugin versions in your config.xml. Otherwise they will be automatically updated the next time you update your code.

Edit: File Transfer Plugin, not File plugin.

Also note that the rest of the core plugins are being updated as well.
Photo of ryan

ryan, Developer

  • 1538 Posts
  • 132 Reply Likes

Posted 6 years ago

  • 1
Photo of ryan

ryan, Developer

  • 1538 Posts
  • 132 Reply Likes
OK looks like the new InAppBrowser was causing some failed builds on Android. Disabled it for now while we look into it. Use 0.2.3 again for now.
Photo of Daniel Tink

Daniel Tink

  • 27 Posts
  • 1 Reply Like
Hi Ryan

The new Media plugin causes iOS to build fail, but Android OK. If i revert media back to previous version iOS builds fine.

Also new file-transfer plugin causes both iOS and Android to build fail. Reverting back to previous version builds fine.

Hope that helps!
Daniel
Photo of Red2678

Red2678

  • 255 Posts
  • 0 Reply Likes
Hi Ryan,

Has the new plugin been enabled?

Thanks!
Photo of Adam Tuttle

Adam Tuttle

  • 134 Posts
  • 0 Reply Likes
I have a bug with window.open; I'm not sure if it relates to InAppBrowser or not, and if so I don't know if this affects any versions after 2.3.2 since I can't test with the latest.

* App using jQuery Mobile
* some screens have no navigation except an {a data-rel="back"}back{/a} button.
* if that screen opens the system browser with window.open(url, '_system', null); and the user goes BACK to the app, the navigation provided by data-rel="back" is now broken; including, on Android, the Android back button.

The only way to resolve this is to force-quit the application and start it back up.

If you want to see it in action you can reach out to me to get a login to my app. The app id is #796177.
Photo of Adam Tuttle

Adam Tuttle

  • 134 Posts
  • 0 Reply Likes
I am mitigating this *somewhat* by avoiding data-rel=back links wherever possible, but in some cases it's the preferred behavior because you might get to a single screen from various other locations and need to have more than one possible return path.
Photo of ryan

ryan, Developer

  • 1538 Posts
  • 132 Reply Likes
@Red2678 -- not yet, the version of pluginstall we have on our servers is failing with the new InAppBrowser, so we're in the process of updating this.

@Adam, this sounds like an issue with the framework itself, rather than with PhoneGap Build in particular. Might suggest bringing this up on the Google Group, and potentially log an issue at the Cordova Issue tracker.
Photo of Duver Jaramillo

Duver Jaramillo

  • 3 Posts
  • 0 Reply Likes
Have been 3 days since i can ́t build my app on android, always getting the "Oh geez. Your build failed. Sorry, but a problem occurred on the build server" message.

APP ID: 817135

Plugins used:
<gap:plugin name="org.apache.cordova.file" />
<gap:plugin name="org.apache.cordova.network-information" />
<gap:plugin name="org.apache.cordova.device" />
<gap:plugin name="org.apache.cordova.file-transfer" />
<gap:plugin name="org.apache.cordova.camera" />
<gap:plugin name="com.phonegap.plugins.facebookconnect">
<param name="APP_ID" value="xxxxxxxxxxxxx" />
<param name="APP_NAME" value="xxxxxxxxxxxxx" />
</gap:plugin>
<gap:plugin name="de.appplant.cordova.plugin.local-notification"/>
<gap:plugin name="nl.x-services.plugins.videocaptureplus" />
<gap:plugin name="nl.x-services.plugins.socialsharing" />

(fb connect values xxx on purpose)
Photo of ismael jimoh

ismael jimoh

  • 4116 Posts
  • 192 Reply Likes
App from the id you provided seems to have been deleted.

Can you help provide updated ID?

Thanks
Photo of Duver Jaramillo

Duver Jaramillo

  • 3 Posts
  • 0 Reply Likes
Hi Ismael, the app ID is: 817124 or 817135 i have the app in 2 accounts to test.
Photo of ismael jimoh

ismael jimoh

  • 4116 Posts
  • 192 Reply Likes
Hi Duver,

Change file-transfer plugin to this: gap:plugin name="org.apache.cordova.file-transfer"  version="0.3.2"

That's the cause of the error in both projects.

Photo of Duver Jaramillo

Duver Jaramillo

  • 3 Posts
  • 0 Reply Likes
It worked out. Thank you very much!
Photo of ismael jimoh

ismael jimoh

  • 4116 Posts
  • 192 Reply Likes
You welcome.

Glad to help.
Photo of ismael jimoh

ismael jimoh

  • 4116 Posts
  • 192 Reply Likes
Hi Duvier,

Let me have a look at this.

Would get back to you shortly.
Photo of Petra V.

Petra V., Champion

  • 7794 Posts
  • 1391 Reply Likes
The search function returned this message in this thread, although I don't see it after opening the full thread:

"Hi Duver, Change file-transfer plugin to this: gap:plugin name="org.apache.cordova.file-transfer" version="0.3.2" That's the cause of the error in both projects."

Now, I just tried to build an app with FileTransfer without version specified, and it returned the red error button with an error message about the plugin (iOS and Android). Then I specified this older version 0.3.2 in my config.xml and the builds went through.

My question: how would I (and of course all others) know when it is safe to remove the version attribute from the plugin line again? I don't want to be stuck with the older version for too long a time, when the latest version works correctly.
Photo of ismael jimoh

ismael jimoh

  • 4116 Posts
  • 192 Reply Likes
Hi Petra,

We'll be announcing once this is safe to use again.

Really sorry for the confusion and delays this might have caused.


Photo of Red2678

Red2678

  • 255 Posts
  • 0 Reply Likes
Any ETA on that? Thanks.
Photo of ismael jimoh

ismael jimoh

  • 4116 Posts
  • 192 Reply Likes
Hi Red,

I'm not sure, but would get back to you once I have some more details.

Hope that's okay.
Photo of alonecomp

alonecomp

  • 9 Posts
  • 0 Reply Likes
Error - Plugin unsupported: org.apache.cordova.file @ 0.2.4 (SHA1) - You can fix this here
On Windows Phone

AppID 552775

I have set explicitly version 1.0.1 but still aiming for 0.2.4
Photo of Red2678

Red2678

  • 255 Posts
  • 0 Reply Likes
Hi Ryan,

I am having an issue with the inApp events not firing.

http://community.phonegap.com/nitobi/...

https://groups.google.com/forum/#!top...

Are you going to release the new version of the plugin soon?
Photo of ryan

ryan, Developer

  • 1538 Posts
  • 132 Reply Likes
Yes, just finishing up a plugman upgrade -- once done should be able to push the new InAppBrowser version. Early next week if all goes as planned.
Photo of Red2678

Red2678

  • 255 Posts
  • 0 Reply Likes
Thanks man, have a great night!
Photo of ryan

ryan, Developer

  • 1538 Posts
  • 132 Reply Likes
Photo of Red2678

Red2678

  • 255 Posts
  • 0 Reply Likes
You rock Ryan!
Photo of ryan

ryan, Developer

  • 1538 Posts
  • 132 Reply Likes