LIBbb11121: Fixing a security issue

AlexanderLS · AlexanderLS · commit cdce1165ca7c · 2017-11-21T18:27:03.000+03:00
diff --git a/.travis.yml b/.travis.yml
@@ -17,10 +17,12 @@ sudo: false
 jdk: oraclejdk8
 android:
   components:
+    - platform-tools
+    - tools
     - build-tools-27.0.1
-    - extra-android-support
-    - extra-android-m2repository
     - android-27
+    - extra-android-m2repository
+    - extra-google-m2repository
   licenses:
     - '.+'
 script:
diff --git a/build.gradle b/build.gradle
@@ -29,6 +29,10 @@ allprojects {
         google()
         jcenter()
     }
+    tasks.withType(JavaCompile) {
+        options.encoding = "UTF-8"
+        options.compilerArgs << "-Xlint:unchecked"
+    }
 }
 
 task clean(type: Delete) {
diff --git a/library/build.gradle b/library/build.gradle
@@ -19,7 +19,6 @@ apply plugin: 'com.android.library'
 android {
     compileSdkVersion 27
     buildToolsVersion '27.0.1'
-    //useLibrary 'cz.msebera.android:httpclient'
     defaultConfig {
         minSdkVersion 9
         targetSdkVersion 27
diff --git a/library/src/main/java/com/vorlonsoft/android/http/MySSLSocketFactory.java b/library/src/main/java/com/vorlonsoft/android/http/MySSLSocketFactory.java
@@ -70,9 +70,19 @@ public MySSLSocketFactory(KeyStore truststore) throws NoSuchAlgorithmException,
 
         X509TrustManager tm = new X509TrustManager() {
             public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {
+                try {
+                    chain[0].checkValidity();
+                } catch (Exception e) {
+                    throw new CertificateException("Certificate not valid or trusted.");
+                }
             }
 
             public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {
+                try {
+                    chain[0].checkValidity();
+                } catch (Exception e) {
+                    throw new CertificateException("Certificate not valid or trusted.");
+                }
             }
 
             public X509Certificate[] getAcceptedIssuers() {
diff --git a/library/src/main/java/com/vorlonsoft/android/http/PersistentCookieStore.java b/library/src/main/java/com/vorlonsoft/android/http/PersistentCookieStore.java
@@ -29,6 +29,7 @@
 import java.util.Date;
 import java.util.List;
 import java.util.Locale;
+import java.util.Map;
 import java.util.concurrent.ConcurrentHashMap;
 
 import cz.msebera.android.httpclient.client.CookieStore;
@@ -93,7 +94,10 @@ public void addCookie(Cookie cookie) {
 
         // Save cookie into persistent store
         SharedPreferences.Editor prefsWriter = cookiePrefs.edit();
-        prefsWriter.putString(COOKIE_NAME_STORE, TextUtils.join(",", cookies.keySet()));
+
+        // This prevents map.keySet to compile to a Java 8+ KeySetView return type
+        Map<String, Cookie> map = cookies;
+        prefsWriter.putString(COOKIE_NAME_STORE, TextUtils.join(",", map.keySet()));
         prefsWriter.putString(COOKIE_NAME_PREFIX + name, encodeCookie(new SerializableCookie(cookie)));
         prefsWriter.apply();
     }
@@ -102,7 +106,9 @@ public void addCookie(Cookie cookie) {
     public void clear() {
         // Clear cookies from persistent store
         SharedPreferences.Editor prefsWriter = cookiePrefs.edit();
-        for (String name : cookies.keySet()) {
+        // This prevents map.keySet to compile to a Java 8+ KeySetView return type
+        Map<String, Cookie> map = cookies;
+        for (String name : map.keySet()) {
             prefsWriter.remove(COOKIE_NAME_PREFIX + name);
         }
         prefsWriter.remove(COOKIE_NAME_STORE);
@@ -132,9 +138,11 @@ public boolean clearExpired(Date date) {
             }
         }
 
+        // This prevents map.keySet to compile to a Java 8+ KeySetView return type
+        Map<String, Cookie> map = cookies;
         // Update names in persistent store
         if (clearedAny) {
-            prefsWriter.putString(COOKIE_NAME_STORE, TextUtils.join(",", cookies.keySet()));
+            prefsWriter.putString(COOKIE_NAME_STORE, TextUtils.join(",", map.keySet()));
         }
         prefsWriter.apply();
 
diff --git a/sample/build.gradle b/sample/build.gradle
@@ -96,7 +96,7 @@ android {
 dependencies {
     implementation 'com.android.support:multidex:1.0.2'
     implementation 'com.android.support:support-annotations:27.0.1'
-    implementation 'com.fasterxml.jackson.core:jackson-databind:2.5.3'
+    implementation 'com.fasterxml.jackson.core:jackson-databind:2.9.2'
     implementation project(':library')
     debugImplementation 'com.squareup.leakcanary:leakcanary-android:1.5.4'
     releaseImplementation 'com.squareup.leakcanary:leakcanary-android-no-op:1.5.4'
diff --git a/sample/proguard-rules.pro b/sample/proguard-rules.pro
@@ -17,5 +17,13 @@
 
 # Add any project specific keep options here:
 
--dontwarn com.fasterxml.jackson.**
--dontwarn com.vorlonsoft.android.http.**
+# Proguard configuration for Jackson 2.x (fasterxml package)
+-keep class com.fasterxml.jackson.databind.ObjectMapper {
+    public <methods>;
+    protected <methods>;
+}
+-keep class com.fasterxml.jackson.databind.ObjectWriter {
+    public ** writeValueAsString(**);
+}
+-keepnames class com.fasterxml.jackson.** { *; }
+-dontwarn com.fasterxml.jackson.databind.**

Original file line number	Diff line number	Diff line change
`@@ -29,6 +29,10 @@ allprojects {`
`29`	`29`	`google()`
`30`	`30`	`jcenter()`
`31`	`31`	`}`
	`32`	`+ tasks.withType(JavaCompile) {`
	`33`	`+ options.encoding = "UTF-8"`
	`34`	`+ options.compilerArgs << "-Xlint:unchecked"`
	`35`	`+ }`
`32`	`36`	`}`
`33`	`37`
`34`	`38`	`task clean(type: Delete) {`