Explicitly disables WebSQL. (duckduckgo#411)

CDRussell · web-flow · commit e4328e68fda0 · 2018-12-19T10:24:30.000Z
* Explicitly disables WebSQL.

this should be disabled already, as the docs state it is disabled by default. but given the recent Magellan, i figure it's best to be explicit so it doesn't accidentally get enabled in future.

* move WebSql disabling to its method for better clarity
diff --git a/app/src/main/java/com/duckduckgo/app/browser/BrowserTabFragment.kt b/app/src/main/java/com/duckduckgo/app/browser/BrowserTabFragment.kt
@@ -577,6 +577,7 @@ class BrowserTabFragment : Fragment(), FindListener {
                 builtInZoomControls = true
                 displayZoomControls = false
                 mixedContentMode = WebSettings.MIXED_CONTENT_COMPATIBILITY_MODE
+                disableWebSql(this)
                 setSupportZoom(true)
             }
 
@@ -597,6 +598,13 @@ class BrowserTabFragment : Fragment(), FindListener {
         }
     }
 
+    /**
+     * Explicitly disable database to try protect against Magellan WebSQL/SQLite vulnerability
+     */
+    private fun disableWebSql(settings: WebSettings) {
+        settings.databaseEnabled = false
+    }
+
     private fun addTextChangedListeners() {
         findInPageInput.replaceTextChangedListener(findInPageTextWatcher)
         omnibarTextInput.replaceTextChangedListener(omnibarInputTextWatcher)

Original file line number	Diff line number	Diff line change
`@@ -577,6 +577,7 @@ class BrowserTabFragment : Fragment(), FindListener {`
`577`	`577`	`builtInZoomControls = true`
`578`	`578`	`displayZoomControls = false`
`579`	`579`	`mixedContentMode = WebSettings.MIXED_CONTENT_COMPATIBILITY_MODE`
	`580`	`+ disableWebSql(this)`
`580`	`581`	`setSupportZoom(true)`
`581`	`582`	`}`
`582`	`583`
`@@ -597,6 +598,13 @@ class BrowserTabFragment : Fragment(), FindListener {`
`597`	`598`	`}`
`598`	`599`	`}`
`599`	`600`
	`601`	`+ /**`
	`602`	`+ * Explicitly disable database to try protect against Magellan WebSQL/SQLite vulnerability`
	`603`	`+ */`
	`604`	`+ private fun disableWebSql(settings: WebSettings) {`
	`605`	`+ settings.databaseEnabled = false`
	`606`	`+ }`
	`607`	`+`
`600`	`608`	`private fun addTextChangedListeners() {`
`601`	`609`	`findInPageInput.replaceTextChangedListener(findInPageTextWatcher)`
`602`	`610`	`omnibarTextInput.replaceTextChangedListener(omnibarInputTextWatcher)`