Allow only HTTPS links for web view.

This commit is contained in:
levlam 2022-03-28 16:24:56 +03:00
parent 0bd4c1a778
commit ac8e856269
3 changed files with 11 additions and 5 deletions

View File

@ -623,7 +623,7 @@ static bool tolower_begins_with(Slice str, Slice prefix) {
return true;
}
Result<string> LinkManager::check_link(Slice link) {
Result<string> LinkManager::check_link(Slice link, bool http_only, bool https_only) {
bool is_tg = false;
bool is_ton = false;
if (tolower_begins_with(link, "tg:")) {
@ -637,7 +637,13 @@ Result<string> LinkManager::check_link(Slice link) {
link.remove_prefix(2);
}
TRY_RESULT(http_url, parse_url(link));
if (https_only && (http_url.protocol_ != HttpUrl::Protocol::Https || is_tg || is_ton)) {
return Status::Error("Only HTTPS links are allowed");
}
if (is_tg || is_ton) {
if (http_only) {
return Status::Error("Only HTTP links are allowed");
}
if (tolower_begins_with(link, "http://") || http_url.protocol_ == HttpUrl::Protocol::Https ||
!http_url.userinfo_.empty() || http_url.specified_port_ != 0 || http_url.is_ipv6_) {
return Status::Error(is_tg ? Slice("Wrong tg URL") : Slice("Wrong ton URL"));

View File

@ -47,7 +47,7 @@ class LinkManager final : public Actor {
};
// checks whether the link is a valid tg, ton or HTTP(S) URL and returns it in a canonical form
static Result<string> check_link(Slice link);
static Result<string> check_link(Slice link, bool http_only = false, bool https_only = false);
// checks whether the link is a supported tg or t.me link and parses it
static unique_ptr<InternalLink> parse_internal_link(Slice link);

View File

@ -450,7 +450,7 @@ static Result<KeyboardButton> get_keyboard_button(tl_object_ptr<td_api::keyboard
if (user_id.is_valid()) {
return Status::Error(400, "Link to a user can't be used in web view URL buttons");
}
auto r_url = LinkManager::check_link(button_type->url_);
auto r_url = LinkManager::check_link(button_type->url_, true, true);
if (r_url.is_error()) {
return Status::Error(400, "Inline keyboard button web view URL is invalid");
}
@ -537,7 +537,7 @@ static Result<InlineKeyboardButton> get_inline_keyboard_button(tl_object_ptr<td_
if (user_id.is_valid()) {
return Status::Error(400, "Link to a user can't be used in login URL buttons");
}
auto r_url = LinkManager::check_link(button_type->url_);
auto r_url = LinkManager::check_link(button_type->url_, true);
if (r_url.is_error()) {
return Status::Error(400, "Inline keyboard button login URL is invalid");
}
@ -572,7 +572,7 @@ static Result<InlineKeyboardButton> get_inline_keyboard_button(tl_object_ptr<td_
if (user_id.is_valid()) {
return Status::Error(400, "Link to a user can't be used in web view URL buttons");
}
auto r_url = LinkManager::check_link(button_type->url_);
auto r_url = LinkManager::check_link(button_type->url_, true, true);
if (r_url.is_error()) {
return Status::Error(400, "Inline keyboard button web view URL is invalid");
}