I have built a Xamarin.Forms app and scanned the apk using MobSF. In the generated report I realized that the following permissions were added even though those were not included in the AndroidManifest.xml;
android.permission.WRITE_EXTERNAL_STORAGE
android.permission.CAMERA
How can these permission be removed? I have already removed it from the AssemblyInfo.cs.
Also the iOS scan returns the following results;
Binary make use of banned API(s) : The binary may contain the following banned API(s) _printf, _fopen, _strncpy, _memcpy, _strcpy, _stat, _chmod, _sscanf, _strlen.
Binary make use of the insecure Random Function(s) : The binary may use the following insecure Random Function(s) _random.
Binary make use of malloc Function : The binary may use malloc function instead of calloc.
I cannot see a clear justification for these. How can these be justified as those are presented by the Xamarin.Forms framework?
Related
I note that when cygwin's setup.exe installs packages now, it looks for a file named "setup.zst.sig" first. What's the content and format of this binary file? How to produce a valid "setup.zst.sig"?
This must have been a recent change. Previously it looked for "setup.exe.sig" first. I use the feature (to detect whether "setup.exe.sig" changed) to decide whether my cygwin installation needs to be updated. See also this for an application example.
EDIT: #matzeri:
setup.zst.sig is not yet used.
The "zst" functionality was introduced in the program to eventually replace the
previous compression methods of setup.ini and the packages
const std::string setup_exts[] = { "zst", "xz", "bz2", "ini" };
For checking the update of setup-ARCH.exe you need to use the standard signature.
https://cygwin.com/setup-x86.exe.sig
https://cygwin.com/setup-x86_64.exe.sig
The pop up you shows seems to happen only on FTP mirror server, the HTTP servers
do not produce it.
It is clearly a bug in setup
https://cygwin.com/ml/cygwin/2019-02/msg00153.html
According to the documentation, the .sig files carry a SHA-512 hash of the respective file without that extension, signed with the private key available only to Cygwin the company.
https://www.cygwin.com/faq.html#faq.setup.install-security
I am working on transferring one application from rgen to Origen.
I added environment/j750.rb in my application.
added the below code into j750.rb
# environment/j750.rb
$tester = OrigenTesters::J750.new
in Target folder, I also added $test as below:
$tester = OrigenTesters::J750.new
however, when I tried to generate pattern, it still failed and showed'uninitialized constant OrigenTesters'.
When and how to initialize it?
Thanks a lot in advance!
Normally this is something that Origen users don't particularly need to worry about, if you add:
gem 'origen_testers'
to your application's Gemfile, then it will be required automatically and a reference like OrigenTesters in your environment file or anywhere else will just work.
However, I note that you mention upgrading from an rgen app, which means that your application must be very old and in fact may not even have a Gemfile.
If you contact me internally I can send you the link to our intranet page which has a guide on how to update these really old apps.
I'm working on a python (3.5) program that use a PyQt5 GUI. In the GUI, I need to add some help links to the documentation on a website. I manage to make it work with:
QDesktopServices.openUrl(QUrl("my_url"))
It works fine but I want to be sure that it will always be the case.
A quick and dirty unittest is to call the function and simply notice that there is no error. I would like to make a test that will check that the correct website page did show up. What should I use?
Checking for an error is not going to work at all, because Qt itself never raises errors (of course, Python or PyQt might do, but for completely unrelated reasons). The best you can do is check the return value of openUrl, which will simply return True or False depending on whether it was "successful". But note the following from the Qt docs for openUrl:
Warning: A return value of true indicates that the application has
successfully requested the operating system to open the URL in an
external application. The external application may still fail to
launch or fail to open the requested URL. This result will not be
reported back to the application.
If you want more control, I suggest you use Python's webbrowser module instead. This would, for example, allow you to register your own mock-browser class for the purposes of testing. The webbrowser module is written in pure Python and the code is quite straightforward.
I have a wireshark dissector plugin.
I also have a wireshark installed from apt-get.
The wireshark loads fine without the plugin inserted in the right place.
When I include the plugin .so file and try to run wireshark, I get the following error:
$ wireshark
08:23:45 Err register_subtree_array: subtree item type (ett_...) not -1 ! This is a development error: Either the subtree item type has already been assigned or was not initialized to -1.
Trace/breakpoint trap (core dumped)
I tried understanding the problem. It says the subtree was already assigned (I'm assuming assigned an ett value) or was not initialized with -1. there are 3 files in my plugin where the API is called and I checked the values of ett[] being supplied to the API in each of these places. They are all initialized to -1.
Stuck in a roadblock. Any suggestion would be helpful.
Also, I do not understand where wireshark dumps the core. I could not find any core.
Any idea about this?
Generally, if you want to insert a plugin into a program, you have to ensure that the library API that the plugin was compiled against is the same as that provided by the program.
Unless wireshark provides documented versioning in its library API, this means that you have to have the plugin compiled against the same version of wireshark that you intend to use it with. So, if you compile your wireshark or the plugin yourself, you should compile the other as well. If you get your plugin in binary form, you should get your wireshark also from exactly the same place, otherwise you may not know if the two are compatible or not. If you only get a core dump when you insert the plugin, that's a strong indication that the two may not be compatible.
register_subtree_array: subtree item type (ett_...) not -1
...
there are 3 files in my plugin where the API is called and I checked the values of ett[] being supplied to the API in each of these places. They are all initialized to -1.
To which API are you referring? You must not call register_subtree_array() on any particular ett_ array more than once; if you're calling it twice, the first call will cause the ett_ values in the array to be set to values different from -1, so the next call will fail with that error.
Our application uses embedded xulrunner. We override the default PromptService to provide custom dialogs for alert, prompt, etc by
componentRegistrar.RegisterFactory (PROMPTSERVICE_CID, aClassName, aContractID, MyPromptServiceFactory);
where,
PROMPTSERVICE_CID is "a2112d6a-0e28-421f-b46a-25c0b308cbd0"
CONTRACT_ID is "#mozilla.org/embedcomp/prompt-service;1"
When using XULRunner 1.9.* versions, this works perfectly and the call comes to MyPromptSerivceFactory. But, this doesn't work on newer XULRunner versions (>= 4.0)
I have modified the PROMPTSERVICE_CID to "7ad1b327-6dfa-46ec-9234-f2a620ea7e00" (copied from nsPrompter.manifest). While registering the factory I get the error NS_ERROR_FACTORY_EXISTS.
If I continue to use the old PROMPTSERVICE_CID, then nsIPromptService2 is not used instead nsIWindowCreator2.CreateChromeWindow2 is used to display alerts and prompts.
I have googled on this, but I couldn't find a solution to either fix the NS_ERROR_FACTORY_EXISTS error or for MyPromptServiceFactory to be used.
Any help/suggestions?
It would probably be better to use the existing prompt service the way Firefox does it rather than replace it. If you look at nsPrompter.openPrompt(), before opening a modal dialog it will try to locate and call a JavaScript function getTabModalPrompt() in the window containing the browser. It expects to get a promptBox element back and will call methods appendPrompt() and removePrompt() on it. Obviously, you don't have to give it a promptBox element, just something that behaves similarly - and displays a message any way you like.
But if you really want to replace system components, you shouldn't duplicate prompter's CID - use your own one but #mozilla.org/prompter;1 as contract ID (the old contract ID is for backwards compatibility only).