Allow only HTTPS links for web view.
This commit is contained in:
parent
0bd4c1a778
commit
ac8e856269
@ -623,7 +623,7 @@ static bool tolower_begins_with(Slice str, Slice prefix) {
|
||||
return true;
|
||||
}
|
||||
|
||||
Result<string> LinkManager::check_link(Slice link) {
|
||||
Result<string> LinkManager::check_link(Slice link, bool http_only, bool https_only) {
|
||||
bool is_tg = false;
|
||||
bool is_ton = false;
|
||||
if (tolower_begins_with(link, "tg:")) {
|
||||
@ -637,7 +637,13 @@ Result<string> LinkManager::check_link(Slice link) {
|
||||
link.remove_prefix(2);
|
||||
}
|
||||
TRY_RESULT(http_url, parse_url(link));
|
||||
if (https_only && (http_url.protocol_ != HttpUrl::Protocol::Https || is_tg || is_ton)) {
|
||||
return Status::Error("Only HTTPS links are allowed");
|
||||
}
|
||||
if (is_tg || is_ton) {
|
||||
if (http_only) {
|
||||
return Status::Error("Only HTTP links are allowed");
|
||||
}
|
||||
if (tolower_begins_with(link, "http://") || http_url.protocol_ == HttpUrl::Protocol::Https ||
|
||||
!http_url.userinfo_.empty() || http_url.specified_port_ != 0 || http_url.is_ipv6_) {
|
||||
return Status::Error(is_tg ? Slice("Wrong tg URL") : Slice("Wrong ton URL"));
|
||||
|
@ -47,7 +47,7 @@ class LinkManager final : public Actor {
|
||||
};
|
||||
|
||||
// checks whether the link is a valid tg, ton or HTTP(S) URL and returns it in a canonical form
|
||||
static Result<string> check_link(Slice link);
|
||||
static Result<string> check_link(Slice link, bool http_only = false, bool https_only = false);
|
||||
|
||||
// checks whether the link is a supported tg or t.me link and parses it
|
||||
static unique_ptr<InternalLink> parse_internal_link(Slice link);
|
||||
|
@ -450,7 +450,7 @@ static Result<KeyboardButton> get_keyboard_button(tl_object_ptr<td_api::keyboard
|
||||
if (user_id.is_valid()) {
|
||||
return Status::Error(400, "Link to a user can't be used in web view URL buttons");
|
||||
}
|
||||
auto r_url = LinkManager::check_link(button_type->url_);
|
||||
auto r_url = LinkManager::check_link(button_type->url_, true, true);
|
||||
if (r_url.is_error()) {
|
||||
return Status::Error(400, "Inline keyboard button web view URL is invalid");
|
||||
}
|
||||
@ -537,7 +537,7 @@ static Result<InlineKeyboardButton> get_inline_keyboard_button(tl_object_ptr<td_
|
||||
if (user_id.is_valid()) {
|
||||
return Status::Error(400, "Link to a user can't be used in login URL buttons");
|
||||
}
|
||||
auto r_url = LinkManager::check_link(button_type->url_);
|
||||
auto r_url = LinkManager::check_link(button_type->url_, true);
|
||||
if (r_url.is_error()) {
|
||||
return Status::Error(400, "Inline keyboard button login URL is invalid");
|
||||
}
|
||||
@ -572,7 +572,7 @@ static Result<InlineKeyboardButton> get_inline_keyboard_button(tl_object_ptr<td_
|
||||
if (user_id.is_valid()) {
|
||||
return Status::Error(400, "Link to a user can't be used in web view URL buttons");
|
||||
}
|
||||
auto r_url = LinkManager::check_link(button_type->url_);
|
||||
auto r_url = LinkManager::check_link(button_type->url_, true, true);
|
||||
if (r_url.is_error()) {
|
||||
return Status::Error(400, "Inline keyboard button web view URL is invalid");
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user