Lack of certificate validation in gvfs requests
HTTPS requests made by GVFS lack of certificate validation. The application accepts certificates not signed by a trusted CA, thus the application is susceptible to man-in-the-middle attacks.
Example request made while selecting searched podcast:
HEAD /us/podcast/harry-potter-and-the-sacred-text/id1096113994?uo=4 HTTP/1.1
Host: podcasts.apple.com
Accept-Encoding: gzip, deflate
User-Agent: gvfs/1.36.1
Accept-Language: en-us, en;q=0.9
Connection: close
initiated in rb-podcast-parse.c:176
:
151 gboolean
152 rb_podcast_parse_load_feed (RBPodcastChannel *data,
153 const char *file_name,
154 gboolean existing_feed,
155 GError **error)
156 {
157 GFile *file;
158 GFileInfo *fileinfo;
159 TotemPlParser *plparser;
[...]
175 file = g_file_new_for_uri (file_name);
176 fileinfo = g_file_query_info (file, G_FILE_ATTRIBUTE_STANDARD_CONTENT_TYPE, 0, NULL, &ferror);
177 if (ferror != NULL) {
However, every part of the application which initiates GVFS based connection may be vulnerable.