Merge pull request #436 from purplecabbage/ValidateCallbackId

[android] Prevent malformed callbackId from reaching app cordova view
apache · Mar 2, 2019 · c95dbcb · c95dbcb
2 parents 92243cd + 6861084
commit c95dbcb
Showing 1 changed file with 8 additions and 3 deletions.
diff --git a/src/android/InAppChromeClient.java b/src/android/InAppChromeClient.java
@@ -104,7 +104,7 @@ public boolean onJsPrompt(WebView view, String url, String message, String defau
             if(defaultValue.startsWith("gap-iab://")) {
                 PluginResult scriptResult;
                 String scriptCallbackId = defaultValue.substring(10);
-                if (scriptCallbackId.startsWith("InAppBrowser")) {
+                if (scriptCallbackId.matches("^InAppBrowser[0-9]{1,10}$")) {
                     if(message == null || message.length() == 0) {
                         scriptResult = new PluginResult(PluginResult.Status.OK, new JSONArray());
                     } else {
@@ -118,9 +118,14 @@ public boolean onJsPrompt(WebView view, String url, String message, String defau
                     result.confirm("");
                     return true;
                 }
+                else {
+                    // Anything else that doesn't look like InAppBrowser0123456789 should end up here
+                    LOG.w(LOG_TAG, "InAppBrowser callback called with invalid callbackId : "+ scriptCallbackId);
+                    result.cancel();
+                    return true;
+                }
             }
-            else
-            {
+            else {
                 // Anything else with a gap: prefix should get this message
                 LOG.w(LOG_TAG, "InAppBrowser does not support Cordova API calls: " + url + " " + defaultValue); 
                 result.cancel();