block non-image "data:" URIs from being loaded in address bar or via …

…redirect. OB-01-016
OnionBrowser · May 10, 2014 · 546a543 · 546a543
1 parent 25eb7f5
commit 546a543
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 0 deletions.
diff --git a/CHANGES.txt b/CHANGES.txt
@@ -36,6 +36,13 @@ corrected due to this audit are marked with the vulnerability ID
   such as <img src="onionbrowser:forcequit">) and has been removed.
   Fixed in c5cfb15a99.
 
+* OB-01-016: HTML content loaded via "data:" URIs would bypass the
+  "Block Active Content" setting. If a user navigates to a specially
+  crafted "data:text/html..." URI (via redirect or "meta refresh"),
+  the page could load a video tag, exposing the user's IP address.
+  "data:" URIs that are not image files are now blocked from being
+  loaded in the address bar or via redirect. Fixed in xxxxxxxxxx.
+
 * OB-01-017: Onion Browser previously loaded "onionbrowser://" URLs
   without prompting the user. This could create a case where an
   attack site opened in another browser would redirect a user to

diff --git a/OnionBrowser/OnionBrowser/WebViewController.m b/OnionBrowser/OnionBrowser/WebViewController.m
@@ -478,6 +478,22 @@ - (BOOL)shouldAutorotateToInterfaceOrientation:(UIInterfaceOrientation)interface
 # pragma mark WebView behavior
 
 - (BOOL)webView:(UIWebView *)webView shouldStartLoadWithRequest:(NSURLRequest *)request navigationType:(UIWebViewNavigationType)navigationType {
+    if ([[[request URL] scheme] isEqualToString:@"data"]) {
+        NSString *url = [[request URL] absoluteString];
+        NSRegularExpression *regex = [NSRegularExpression
+                                      regularExpressionWithPattern:@"\\Adata:image/(?:jpe?g|gif|png)"
+                                      options:NSRegularExpressionCaseInsensitive
+                                      error:nil];
+        NSUInteger numberOfMatches = [regex numberOfMatchesInString:url
+                                                              options:0
+                                                                range:NSMakeRange(0, [url length])];
+        if (numberOfMatches == 0) {
+            // This is a "data:" URI that isn't an image. Since this could be an HTML page,
+            // PDF file, or other dynamic document, we should block it.
+            // TODO: for now, this is silent
+            return NO;
+        }
+    }
     [self updateAddress:request];
     return YES;
 }