enforce http(s) protocol schema in URLs

tinode · Aug 18, 2019 · d050fd1 · d050fd1
1 parent 8d56b40
commit d050fd1
Show file tree

Hide file tree

Showing 5 changed files with 33 additions and 14 deletions.
diff --git a/app/src/main/java/co/tinode/tindroid/MessagesAdapter.java b/app/src/main/java/co/tinode/tindroid/MessagesAdapter.java
@@ -773,9 +773,16 @@ private void downloadAttachment(Map<String,Object> data, String fname, String mi
             } else {
                 Object ref = data.get("ref");
                 if (ref instanceof String) {
-                    LargeFileHelper lfh = Cache.getTinode().getFileUploader();
-                    mActivity.startDownload(Uri.parse(new URL(Cache.getTinode().getBaseUrl(), (String) ref).toString()),
-                            fname, mimeType, lfh.headers());
+                    URL url = new URL(Cache.getTinode().getBaseUrl(), (String) ref);
+                    String scheme = url.getProtocol();
+                    // Make sure the file is downloaded over http or https protocols.
+                    if (scheme.equals("http") || scheme.equals("https")) {
+                        LargeFileHelper lfh = Cache.getTinode().getFileUploader();
+                        mActivity.startDownload(Uri.parse(url.toString()), fname, mimeType, lfh.headers());
+                    } else {
+                        Log.w(TAG, "Unsupported transport protocol '" + scheme + "'");
+                        Toast.makeText(mActivity, R.string.failed_to_download, Toast.LENGTH_SHORT).show();
+                    }
                 } else {
                     Log.w(TAG, "Invalid or missing attachment");
                     Toast.makeText(mActivity, R.string.failed_to_download, Toast.LENGTH_SHORT).show();
@@ -784,7 +791,7 @@ private void downloadAttachment(Map<String,Object> data, String fname, String mi
 
         } catch (NullPointerException | ClassCastException | IOException ex) {
             Log.w(TAG, "Failed to save attachment to storage", ex);
-            Toast.makeText(mActivity, R.string.failed_to_download, Toast.LENGTH_SHORT).show();
+            Toast.makeText(mActivity, R.string.failed_to_save_download, Toast.LENGTH_SHORT).show();
         } catch (ActivityNotFoundException ex) {
             Log.w(TAG, "No application can handle downloaded file");
             Toast.makeText(mActivity, R.string.failed_to_open_file, Toast.LENGTH_SHORT).show();
@@ -854,8 +861,13 @@ public void onClick(String type, Map<String, Object> data) {
                     // Click on an URL
                     try {
                         if (data != null) {
-                            String url = new URL(Cache.getTinode().getBaseUrl(), (String) data.get("url")).toString();
-                            mActivity.startActivity(new Intent(Intent.ACTION_VIEW, Uri.parse(url)));
+                            URL url = new URL(Cache.getTinode().getBaseUrl(), (String) data.get("url"));
+                            String scheme = url.getProtocol();
+                            if (!scheme.equals("http") && !scheme.equals("https")) {
+                                // As a security measure refuse to follow URLs with non-http(s) protocols.
+                                break;
+                            }
+                            mActivity.startActivity(new Intent(Intent.ACTION_VIEW, Uri.parse(url.toString())));
                         }
                     } catch (ClassCastException | MalformedURLException | NullPointerException ignored) {
                     }
@@ -930,8 +942,13 @@ public void onClick(String type, Map<String, Object> data) {
                                 mActivity.sendMessage(newMsg);
 
                             } else if ("url".equals(actionType)) {
-                                String url = new URL(Cache.getTinode().getBaseUrl(), (String) data.get("ref")).toString();
-                                Uri uri =  Uri.parse(url);
+                                URL url = new URL(Cache.getTinode().getBaseUrl(), (String) data.get("ref"));
+                                String scheme = url.getProtocol();
+                                if (!scheme.equals("http") && !scheme.equals("https")) {
+                                    // As a security measure refuse to follow URLs with non-http(s) protocols.
+                                    break;
+                                }
+                                Uri uri =  Uri.parse(url.toString());
                                 Uri.Builder builder = uri.buildUpon();
                                 if (!TextUtils.isEmpty(name)) {
                                     builder = builder.appendQueryParameter(name,

diff --git a/app/src/main/java/co/tinode/tindroid/media/SpanFormatter.java b/app/src/main/java/co/tinode/tindroid/media/SpanFormatter.java
@@ -165,7 +165,7 @@ private TreeNode handleAttachment(final Context ctx,
             } catch (ClassCastException ignored) {
             }
 
-            result.addNode( "\n");
+            // result.addNode( "\n");
 
             // Insert document icon
             Drawable icon = AppCompatResources.getDrawable(ctx, R.drawable.ic_insert_drive_file);

diff --git a/app/src/main/res/values-ru/strings.xml b/app/src/main/res/values-ru/strings.xml
@@ -122,7 +122,8 @@
     <string name="group_members">Участники чата</string>
     <string name="forgot_password">Забыл пароль</string>
     <string name="failed_to_create_topic">Ошибка создания чата</string>
-    <string name="failed_to_download">Ошибка сохранения файла</string>
+    <string name="failed_to_download">Не удалось скачать файл</string>
+    <string name="failed_to_save_download">Ошибка сохранения файла</string>
     <string name="failed_to_open_file">Неизвестный тип файла</string>
     <string name="file_manager_not_found">Нет возможности просмотра файлов</string>
     <string name="confirm_logout">Вы действительно хотите выйти из приложения?</string>

diff --git a/app/src/main/res/values/strings.xml b/app/src/main/res/values/strings.xml
@@ -145,7 +145,8 @@
     <string name="file_manager_not_found">File manager not found</string>
     <string name="attachment_too_large">The file size %1$s exceeds the %2$s limit.</string>
 
-    <string name="failed_to_download">Failed to save downloaded file</string>
+    <string name="failed_to_download">Failed to download the file</string>
+    <string name="failed_to_save_download">Failed to save downloaded file</string>
     <string name="failed_to_open_file">No application can view the file of this type</string>
     <string name="failed_empty_password">Not changed: empty password</string>
     <string name="failed_credential_confirmation">Incorrect confirmation code</string>

diff --git a/tinodesdk/src/main/java/co/tinode/tinodesdk/LargeFileHelper.java b/tinodesdk/src/main/java/co/tinode/tinodesdk/LargeFileHelper.java
@@ -117,11 +117,11 @@ public void run() {
     public long download(String downloadFrom, OutputStream out, FileHelperProgress progress) throws IOException {
         URL url = new URL(downloadFrom);
         long size = 0;
-        if (!url.getHost().equals(mHost)) {
-            // As a security measure refuse to download from an absolute URL.
+        String scheme = url.getProtocol();
+        if (!url.getHost().equals(mHost) || (!scheme.equals("http") && !scheme.equals("https"))) {
+            // As a security measure refuse to download from an absolute URL or using non-http(s) protocols.
             return size;
         }
-
         HttpURLConnection urlConnection = null;
         try {
             urlConnection = (HttpURLConnection) url.openConnection();