Validate sensitive URLs to onle allow http(s) schemes. #2906
Conversation
|
I only validate those URLs coming from the server or user input. Please go through the rest of QDesktopServices::openUrl calls to see why I am not validating those. Non-validate URLs are either hard-coded or point to local files/folders. As @er-vin suggested, I did the revision of all the QDesktopServices::openUrl cases and only validated those risky-ones. |
src/gui/guiutility.cpp
Outdated
| @@ -23,12 +23,24 @@ | |||
|
|
|||
| #include "common/asserts.h" | |||
|
|
|||
| namespace { | |||
| const QStringList whitelistedUrlSchemes = { | |||
There was a problem hiding this comment.
Avoid global variables in general and global static non-POD types in particular. It is probably fine to have it as a local const in openBrowser, it's not on any hot path really.
src/gui/tray/UserModel.cpp
Outdated
| url = "https://" + _users[_currentUserId]->server(false); | ||
| } | ||
| QDesktopServices::openUrl(QUrl(url)); | ||
| Utility::openBrowser(QUrl(url), nullptr); |
There was a problem hiding this comment.
Not needed for that one because of the check in the block just before. You are right that this use of "contains" is surprising and "startsWith" would be more appropriate.
| "https" | ||
| }; | ||
| }; | ||
|
|
||
| using namespace OCC; | ||
|
|
||
| Q_LOGGING_CATEGORY(lcUtility, "nextcloud.gui.utility", QtInfoMsg) | ||
|
|
||
| bool Utility::openBrowser(const QUrl &url, QWidget *errorWidgetParent) |
There was a problem hiding this comment.
There's exactly one call of that function which doesn't pass nullptr for the second parameter. What about adding a commit before this one in your PR to have nullptr as default value for errorWidgetParent?
This way you could spare the nullptr everywhere else in your PR when openBrowser is called.
allexzander
force-pushed
the
fix-url-scheme-security-issue
branch
from
04695eb to
5c60812
Compare
src/gui/guiutility.cpp
Outdated
| using namespace OCC; | ||
|
|
||
| Q_LOGGING_CATEGORY(lcUtility, "nextcloud.gui.utility", QtInfoMsg) | ||
|
|
||
| bool Utility::openBrowser(const QUrl &url, QWidget *errorWidgetParent) | ||
| { | ||
| const QStringList whitelistedUrlSchemes = { |
There was a problem hiding this comment.
nitpick: rename to allowedUrlSchemes
There was a problem hiding this comment.
@er-vin Ok. Will fix CI errors later, before merge...
|
/rebase |
Signed-off-by: allexzander <blackslayer4@gmail.com>
github-actions
bot
force-pushed
the
fix-url-scheme-security-issue
branch
from
b8a7d4b to
1dc98de
Compare
src/gui/tray/UserModel.cpp
Outdated
| @@ -731,10 +732,11 @@ Q_INVOKABLE void UserModel::openCurrentAccountServer() | |||
| return; | |||
|
|
|||
| QString url = _users[_currentUserId]->server(false); | |||
| if (!(url.contains("http://") || url.contains("https://"))) { | |||
| if (!url.startsWith("http")) { | |||
There was a problem hiding this comment.
I'd prefer if we can match a full scheme here. (in case someone has local handlers that start with http but may do other things.Unlikely, but you never know.)
There was a problem hiding this comment.
Didn't @er-vin say something about it before?
There was a problem hiding this comment.
@LukasReschke Addressed.
|
Signed-off-by: allexzander <blackslayer4@gmail.com>
allexzander
force-pushed
the
fix-url-scheme-security-issue
branch
from
8765134 to
013f3ce
Compare
I did think I was going to merge it right away until Lukas commented on it... |
|
AppImage file: Nextcloud-PR-2906-013f3cea70acfe7b701cb73c93744d5ff5c0c213-x86_64.AppImage |
@camilasan I see. Sorry. |
|
/backport to stable-3.1 |
Signed-off-by: allexzander blackslayer4@gmail.com