前言

测试的时候发现一个微博组件导出导致拒绝服务的问题,现测试哪个版本没有这个问题。

代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
public class LoginActivity extends AppCompatActivity {

private SsoHandler mSsoHandler;
private Oauth2AccessToken mAccessToken;

@Override
protected void onCreate(@Nullable Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(R.layout.activity_login);
initWeiBoSDK();
mSsoHandler = new SsoHandler(this);
loginIn();
}

private void initWeiBoSDK() {
AuthInfo mAuthInfo = new AuthInfo(this, "你的appkey", "https://api.weibo.com/oauth2/default.html",
"email,direct_messages_read,direct_messages_write,"
+ "friendships_groups_read,friendships_groups_write,statuses_to_me_read,"
+ "follow_app_official_microblog," + "invitation_write");
WbSdk.install(this,mAuthInfo);
}

private void loginIn() {

mSsoHandler. authorize(new WbAuthListener());
}

private class WbAuthListener implements com.sina.weibo.sdk.auth.WbAuthListener{

@Override
public void onSuccess(final Oauth2AccessToken token) {
runOnUiThread(new Runnable() {
@Override
public void run() {
mAccessToken = token;
if (mAccessToken.isSessionValid()) {

}
}
});
}

@Override
public void cancel() {

}

@Override
public void onFailure(WbConnectErrorMessage errorMessage) {

}
}

@Override
protected void onActivityResult(int requestCode, int resultCode, Intent data) {
super.onActivityResult(requestCode, resultCode, data);
if (mSsoHandler != null) {
mSsoHandler.authorizeCallBack(requestCode, resultCode, data);
}
}
}

微博sdk本地拒绝服务影响版本compile 'com.sina.weibo.sdk:core:4.1.0:openDefaultRelease@aar'
现升级到compile 'com.sina.weibo.sdk:core:4.4.1:openDefaultRelease@aar' 没有这个问题

漏洞证明:

1
adb shell am start com.demo.sinaweibosdk_test/com.sina.weibo.sdk.share.WbShareTransActivity

扫描打包后的apk:
存在一处导出

1
adb shell am start com.demo.sinaweibosdk_test/com.sina.weibo.sdk.share.WbShareResultActivity

测试后已经不存在崩溃了

CODE

sinaweibosdk_test

微博开放平台
需要认证下邮箱。
之后创建应用。 微链接-移动应用-立即接入。
微博开放平台-应用信息
微博开放平台-控制台
添加包名-签名信息。

weibo_android_sdk

android使用新浪微博最新SDK4.1进行第三方授权登录