前言

测试的时候发现一个微博组件导出导致拒绝服务的问题,现测试哪个版本没有这个问题。

代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
public class LoginActivity extends AppCompatActivity {

    private SsoHandler mSsoHandler;
    private Oauth2AccessToken mAccessToken;

    @Override
    protected void onCreate(@Nullable Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);
        setContentView(R.layout.activity_login);
        initWeiBoSDK();
        mSsoHandler = new SsoHandler(this);
        loginIn();
    }

    private void initWeiBoSDK() {
        AuthInfo mAuthInfo = new AuthInfo(this, "你的appkey", "https://api.weibo.com/oauth2/default.html",
                "email,direct_messages_read,direct_messages_write,"
                        + "friendships_groups_read,friendships_groups_write,statuses_to_me_read,"
                        + "follow_app_official_microblog," + "invitation_write");
        WbSdk.install(this,mAuthInfo);
    }

    private void loginIn() {

        mSsoHandler. authorize(new WbAuthListener());
    }

    private class WbAuthListener implements com.sina.weibo.sdk.auth.WbAuthListener{

        @Override
        public void onSuccess(final Oauth2AccessToken token) {
            runOnUiThread(new Runnable() {
                @Override
                public void run() {
                    mAccessToken = token;
                    if (mAccessToken.isSessionValid()) {

                    }
                }
            });
        }

        @Override
        public void cancel() {

        }

        @Override
        public void onFailure(WbConnectErrorMessage errorMessage) {

        }
    }

    @Override
    protected void onActivityResult(int requestCode, int resultCode, Intent data) {
        super.onActivityResult(requestCode, resultCode, data);
        if (mSsoHandler != null) {
            mSsoHandler.authorizeCallBack(requestCode, resultCode, data);
        }
    }
}

微博sdk本地拒绝服务影响版本
compile 'com.sina.weibo.sdk:core:4.1.0:openDefaultRelease@aar'
现升级到
compile 'com.sina.weibo.sdk:core:4.4.1:openDefaultRelease@aar' 没有这个问题

漏洞证明: 

1
2
adb shell am start com.demo.sinaweibosdk_test/com.sina.weibo.sdk.share.WbShareTransActivity

扫描打包后的apk:
存在一处导出 

1
adb shell am start com.demo.sinaweibosdk_test/com.sina.weibo.sdk.share.WbShareResultActivity

测试后已经不存在崩溃了

CODE

sinaweibosdk_test

微博开放平台
需要认证下邮箱。
之后创建应用。 微链接-移动应用-立即接入。
微博开放平台-应用信息
微博开放平台-控制台
添加包名-签名信息。
weibo_android_sdk
android使用新浪微博最新SDK4.1进行第三方授权登录