msb-public
/
FairEmail
mirror of https://github.com/M66B/FairEmail.git
1
0
Code Issues Projects Releases Wiki Activity

URI sanitizer improvements

Browse Source
pull/210/head
M66B 2 years ago
parent 86b067cf9d
commit c6251f6d3a
1 changed files with 59 additions and 54 deletions
Show Stats Download Patch File Download Diff File

113
app/src/main/java/eu/faircode/email/UriHelper.java
Unescape View File

@ -268,14 +268,16 @@ public class UriHelper {
if (uri.getHost() != null && if (uri.getHost() != null &&
uri.getHost().endsWith("safelinks.protection.outlook.com") && uri.getHost().endsWith("safelinks.protection.outlook.com") &&
!TextUtils.isEmpty(uri.getQueryParameter("url"))) { !TextUtils.isEmpty(uri.getQueryParameter("url"))) {
changed = true; Uri result = Uri.parse(uri.getQueryParameter("url"));
url = Uri.parse(uri.getQueryParameter("url")); changed = (result != null && isHyperLink(result));
url = (changed ? result : uri);
} else if ("https".equals(uri.getScheme()) && } else if ("https".equals(uri.getScheme()) &&
"smex-ctp.trendmicro.com".equals(uri.getHost()) && "smex-ctp.trendmicro.com".equals(uri.getHost()) &&
"/wis/clicktime/v1/query".equals(uri.getPath()) && "/wis/clicktime/v1/query".equals(uri.getPath()) &&
!TextUtils.isEmpty(uri.getQueryParameter("url"))) { !TextUtils.isEmpty(uri.getQueryParameter("url"))) {
changed = true; Uri result = Uri.parse(uri.getQueryParameter("url"));
url = Uri.parse(uri.getQueryParameter("url")); changed = (result != null && isHyperLink(result));
url = (changed ? result : uri);
} else if ("https".equals(uri.getScheme()) && } else if ("https".equals(uri.getScheme()) &&
"www.google.com".equals(uri.getHost()) && "www.google.com".equals(uri.getHost()) &&
uri.getPath() != null && uri.getPath() != null &&
@ -298,87 +300,93 @@ public class UriHelper {
p = u.indexOf("/"); p = u.indexOf("/");
} }
changed = (result != null); changed = (result != null && isHyperLink(result));
url = (result == null ? uri : result); url = (changed ? result : uri);
} else if ("https".equals(uri.getScheme()) && } else if ("https".equals(uri.getScheme()) &&
uri.getHost() != null && uri.getHost() != null &&
uri.getHost().startsWith("www.google.") && uri.getHost().startsWith("www.google.") &&
uri.getQueryParameter("url") != null) { uri.getQueryParameter("url") != null) {
// Google non-com redirects // Google non-com redirects
Uri result = Uri.parse(uri.getQueryParameter("url")); Uri result = Uri.parse(uri.getQueryParameter("url"));
changed = (result != null); changed = (result != null && isHyperLink(result));
url = (result == null ? uri : result); url = (changed ? result : uri);
} else if (uri.getPath() != null && } else if (uri.getPath() != null &&
uri.getPath().startsWith("/track/click") && uri.getPath().startsWith("/track/click") &&
uri.getQueryParameter("p") != null) { uri.getQueryParameter("p") != null) {
Uri result = null;
try { try {
// Mandrill // Mandrill
String p = new String(Base64.decode(uri.getQueryParameter("p"), Base64.URL_SAFE)); String p = new String(Base64.decode(uri.getQueryParameter("p"), Base64.URL_SAFE));
JSONObject json = new JSONObject(p); JSONObject json = new JSONObject(p);
json = new JSONObject(json.getString("p")); json = new JSONObject(json.getString("p"));
Uri result = Uri.parse(json.getString("url")); result = Uri.parse(json.getString("url"));
changed = (result != null);
url = (result == null ? uri : result);
} catch (Throwable ex) { } catch (Throwable ex) {
Log.i(ex); Log.i(ex);
url = uri;
} }
changed = (result != null && isHyperLink(result));
url = (changed ? result : uri);
} else if (uri.getHost() != null && uri.getHost().endsWith(".awstrack.me")) { } else if (uri.getHost() != null && uri.getHost().endsWith(".awstrack.me")) {
// https://docs.aws.amazon.com/ses/latest/dg/configure-custom-open-click-domains.html // https://docs.aws.amazon.com/ses/latest/dg/configure-custom-open-click-domains.html
String path = uri.getPath(); String path = uri.getPath();
int s = path.indexOf('/', 1); int s = path.indexOf('/', 1);
Uri result = (s > 0 ? Uri.parse(path.substring(s + 1)) : null); Uri result = (s > 0 ? Uri.parse(path.substring(s + 1)) : null);
changed = (result != null); changed = (result != null && isHyperLink(result));
url = (result == null ? uri : result); url = (changed ? result : uri);
} else if (uri.getQueryParameterNames().size() == 1) {
// Sophos Email Appliance
Uri result = null;
String key = uri.getQueryParameterNames().iterator().next();
if (TextUtils.isEmpty(uri.getQueryParameter(key)))
try {
String data = new String(Base64.decode(key, Base64.URL_SAFE));
int v = data.indexOf("ver=");
int u = data.indexOf("&&url=");
if (v == 0 && u > 0)
result = Uri.parse(URLDecoder.decode(data.substring(u + 6), StandardCharsets.UTF_8.name()));
} catch (Throwable ex) {
Log.w(ex);
}
changed = (result != null);
url = (result == null ? uri : result);
} else if (uri.getQueryParameter("redirectUrl") != null) { } else if (uri.getQueryParameter("redirectUrl") != null) {
// https://.../link-tracker?redirectUrl=<base64>&sig=...&iat=...&a=...&account=...&email=...&s=...&i=... // https://.../link-tracker?redirectUrl=<base64>&sig=...&iat=...&a=...&account=...&email=...&s=...&i=...
Uri result = null;
try { try {
byte[] bytes = Base64.decode(uri.getQueryParameter("redirectUrl"), Base64.URL_SAFE); byte[] bytes = Base64.decode(uri.getQueryParameter("redirectUrl"), Base64.URL_SAFE);
String u = URLDecoder.decode(new String(bytes), StandardCharsets.UTF_8.name()); String u = URLDecoder.decode(new String(bytes), StandardCharsets.UTF_8.name());
Uri result = Uri.parse(u); result = Uri.parse(u);
changed = (result != null);
url = (result == null ? uri : result);
} catch (Throwable ex) { } catch (Throwable ex) {
Log.i(ex); Log.i(ex);
url = uri;
} }
} else { changed = (result != null && isHyperLink(result));
// Try base64 last path segment url = (changed ? result : uri);
} else
url = uri;
if (!changed) {
// Sophos Email Appliance
// http://<host>/?<base64>
Uri result = null;
try {
if (uri.getQueryParameterNames().size() == 1) {
String key = uri.getQueryParameterNames().iterator().next();
if (TextUtils.isEmpty(uri.getQueryParameter(key))) {
String data = new String(Base64.decode(key, Base64.URL_SAFE));
int v = data.indexOf("ver=");
int u = data.indexOf("&&url=");
if (v == 0 && u > 0)
result = Uri.parse(URLDecoder.decode(data.substring(u + 6), StandardCharsets.UTF_8.name()));
}
}
} catch (Throwable ex) {
Log.i(ex);
}
changed = (result != null && isHyperLink(result));
url = (changed ? result : uri);
}
if (!changed) {
// go.dhlparcel.nl and others // go.dhlparcel.nl and others
// Try base64 last path segment
Uri result = null;
String path = uri.getPath();
try { try {
String path = uri.getPath(); if (path != null) {
String b = null; int s = path.lastIndexOf('/');
int s = path.lastIndexOf('/'); if (s > 0) {
if (s > 0) String b = new String(Base64.decode(path.substring(s + 1), Base64.URL_SAFE));
try { result = Uri.parse(b);
b = new String(Base64.decode(path.substring(s + 1), Base64.URL_SAFE));
} catch (IllegalArgumentException ignored) {
} }
Uri result = (b == null ? null : Uri.parse(b)); }
changed = (result != null && result.getScheme() != null);
url = (result == null ? uri : result);
} catch (Throwable ex) { } catch (Throwable ex) {
Log.i(ex); Log.i(ex);
url = uri;
} }
changed = (result != null && isHyperLink(result));
url = (changed ? result : uri);
} }
if (url.isOpaque() || !isHyperLink(url)) if (url.isOpaque() || !isHyperLink(url))
@ -412,12 +420,9 @@ public class UriHelper {
for (String value : url.getQueryParameters(key)) { for (String value : url.getQueryParameters(key)) {
Log.i("Query " + key + "=" + value); Log.i("Query " + key + "=" + value);
Uri suri = Uri.parse(value); Uri suri = Uri.parse(value);
if ("http".equals(suri.getScheme()) || "https".equals(suri.getScheme())) { if (suri != null && isHyperLink(suri)) {
Uri s = sanitize(suri); Uri s = sanitize(suri);
if (s != null) { return (s == null ? suri : s);
changed = true;
value = s.toString();
}
} }
builder.appendQueryParameter(key, value); builder.appendQueryParameter(key, value);
} }

Write Preview
Loading…
Cancel
Save