fix: vulnerable to cross-app script injection via crafted intent

- Mitigated the vulnerability by disabling the ability to open custom-defined inner URIs through external sources. This was achieved by setting `android:exported="false"`. - Setting `android:exported="false"` for the android component doesn't need to call out side from the app. fixes: LEARNER-9557
openedx-unsupported · Oct 10, 2023 · c3da710 · c3da710
1 parent bcf1d6d
commit c3da710
Showing 1 changed file with 6 additions and 5 deletions.
diff --git a/OpenEdXMobile/AndroidManifest.xml b/OpenEdXMobile/AndroidManifest.xml
@@ -232,9 +232,10 @@
 
         <activity
             android:name=".view.dialog.WebViewActivity"
+            android:exported="false"
             android:screenOrientation="portrait"
-            android:exported="true"
-            android:theme="@style/AppTheme.NoActionBar.TranslucentStatusBar">
+            android:theme="@style/AppTheme.NoActionBar.TranslucentStatusBar"
+            tools:ignore="AppLinkUrlError">
             <intent-filter>
                 <category android:name="android.intent.category.DEFAULT" />
                 <action android:name="android.intent.action.VIEW" />
@@ -255,11 +256,11 @@
         <!--Google cast expanded controls activity-->
         <activity
             android:name="org.edx.mobile.googlecast.ExpandedControlsActivity"
+            android:exported="false"
             android:launchMode="singleTask"
-            android:theme="@style/Theme.CastVideosTheme"
-            android:exported="true">
+            android:theme="@style/Theme.CastVideosTheme">
             <intent-filter>
-                <action android:name="android.intent.action.MAIN"/>
+                <action android:name="android.intent.action.MAIN" />
             </intent-filter>
         </activity>