Skip to main content

Webview 漏洞修复

· 3 min read
ckerr

已发现一个漏洞,该漏洞允许在某些禁用 Node.js 集成的 Electron 应用中重新启用它。此漏洞已被分配 CVE 标识符 CVE-2018-1000136

¥A vulnerability has been discovered which allows Node.js integration to be re-enabled in some Electron applications that disable it. This vulnerability has been assigned the CVE identifier CVE-2018-1000136.

受影响的应用

¥Affected Applications

如果满足以下所有条件,则应用会受到影响:

¥An application is affected if all of the following are true:

  1. 可在 Electron 1.7、1.8 或 2.0.0-beta 版本上运行

    ¥Runs on Electron 1.7, 1.8, or a 2.0.0-beta

  2. 允许执行任意远程代码

    ¥Allows execution of arbitrary remote code

  3. 禁用 Node.js 集成

    ¥Disables Node.js integration

  4. 未在其 webPreferences 中明确声明 webviewTag: false

    ¥Does not explicitly declare webviewTag: false in its webPreferences

  5. 不启用 nativeWindowOption 选项

    ¥Does not enable the nativeWindowOption option

  6. 不拦截 new-window 事件,也不在不使用提供的 options 标签的情况下手动覆盖 event.newGuest

    ¥Does not intercept new-window events and manually override event.newGuest without using the supplied options tag

虽然这似乎只存在于少数 Electron 应用中,但我们建议所有应用升级以防万一。

¥Although this appears to be a minority of Electron applicatons, we encourage all applications to be upgraded as a precaution.

缓解措施

¥Mitigation

此漏洞已在今天的 1.7.131.8.42.0.0-beta.5 版本中修复。

¥This vulnerability is fixed in today's 1.7.13, 1.8.4, and 2.0.0-beta.5 releases.

无法升级应用 Electron 版本的开发者可以使用以下代码缓解此漏洞:

¥Developers who are unable to upgrade their application's Electron version can mitigate the vulnerability with the following code:

app.on('web-contents-created', (event, win) => {
  win.on(
    'new-window',
    (event, newURL, frameName, disposition, options, additionalFeatures) => {
      if (!options.webPreferences) options.webPreferences = {};
      options.webPreferences.nodeIntegration = false;
      options.webPreferences.nodeIntegrationInWorker = false;
      options.webPreferences.webviewTag = false;
      delete options.webPreferences.preload;
    },
  );
});

// and *IF* you don't use WebViews at all,
// you might also want
app.on('web-contents-created', (event, win) => {
  win.on('will-attach-webview', (event, webPreferences, params) => {
    event.preventDefault();
  });
});

更多信息

¥Further Information

此漏洞由 Trustwave SpiderLabs 的 Brendan Scarvell 发现并负责任地报告给 Electron 项目。

¥This vulnerability was found and reported responsibly to the Electron project by Brendan Scarvell of Trustwave SpiderLabs.

要了解有关保护 Electron 应用安全的最佳实践的更多信息,请参阅我们的 安全教程

¥To learn more about best practices for keeping your Electron apps secure, see our security tutorial.

要报告 Electron 中的漏洞,请发送电子邮件至 security@electronjs.org

¥To report a vulnerability in Electron, please email security@electronjs.org.

请加入我们的 邮件列表 以接收有关版本和安全更新的更新。

¥Please join our email list to receive updates about releases and security updates.