From a49cd36c5c2de7cb4fba20c360652667702c15a5 Mon Sep 17 00:00:00 2001
From: "surya.kumar7" <surya.kumar7@samsung.com>
Date: Tue, 5 Nov 2019 14:59:28 +0530
Subject: [PATCH] Remove add-on events to prevent add-ons from monitoring other
 listeners

A couple allowed add-on events can be used to eavesdrop on other
add-ons or examine other listeners' code. Removed them to avoid
any exploits.

Change-Id: I9791d82516f2f263bf2e4f5ef7c793eadda85b35
Signed-off-by: surya.kumar7 <surya.kumar7@samsung.com>
---
 wrt_app/src/addon_manager.js | 20 ++++++--------------
 1 file changed, 6 insertions(+), 14 deletions(-)

diff --git a/wrt_app/src/addon_manager.js b/wrt_app/src/addon_manager.js
index 31c537ac..a156fa7f 100644
--- a/wrt_app/src/addon_manager.js
+++ b/wrt_app/src/addon_manager.js
@@ -26,8 +26,6 @@ const ADDONS_PATH = path.join(__dirname, '..', 'addon', 'browser', 'addonapi.js'
 
 // A set of predefined events for addons
 const EventList = [
-    'newListener',      // A listener is added via on() or addListener()
-    'removeListener',   // A listener is removed via off() or removeListener()
     'lcPrelaunch',      // An app is at just before launching
     'lcResume',         // An app is resumed
     'lcSuspend',        // An app is suspended
@@ -197,24 +195,18 @@ class AddonManager {
         this.evt_emitter_ = new EventEmitter();
         this.wrappedEventEmitter = {
             on: (eventName, listener) => {
-                if (EventList.indexOf(eventName) !== -1)
+                if (EventList.indexOf(eventName) !== -1) {
+                    console.log(`A new listener for ${eventName} is added`);
                     this.evt_emitter_.on(eventName, listener);
-                else console.log('Invalid Event: ' + eventName);
+                } else console.log(`Invalid Event: ${eventName}`);
             },
             off: (eventName, listener) => {
-                if (EventList.indexOf(eventName) !== -1)
+                if (EventList.indexOf(eventName) !== -1) {
+                    console.log(`A listener for ${eventName} is removed`);
                     this.evt_emitter_.off(eventName, listener);
-                else console.log('Invalid Event: ' + eventName);
+                } else console.log(`Invalid Event: ${eventName}`);
             }
         }
-
-        this.evt_emitter_.on('newListener', function(event, listener) {
-            console.log('A listener for ' + event + ' has been added');
-        });
-
-        this.evt_emitter_.on('removeListener', function(event, listener) {
-            console.log('A listener for ' + event + ' has been removed');
-        });
     }
 
     static getManifestFile() {
-- 
2.34.1