diff options
author | Fabian Henneke <FabianHenneke@users.noreply.github.com> | 2020-03-25 20:21:56 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-03-25 20:21:56 +0100 |
commit | 8f722a2219f7a3cc74aa79ac29832d223fd20cad (patch) | |
tree | b50c3f313605ea140d5bd2b862c5ab897ddcc0ac /app/src/main/java/com/zeapo | |
parent | fde16c60f4ce5d57a0c7d5a0186dcd532a23f0f0 (diff) |
Fix: Properly handle IP addresses and invalid domains in Autofill (#664)
Mozilla's getPublicSuffixPlusOne is only meant to be invoked on syntactically
valid domain names. In particular, it does not give reasonable results for IP
addresses.
This commit ensures that the domain passed to getPublicSuffixPlusOne is
syntactically valid and not an IP address (the latter is unfortunately
considered a domain by the Android validation patterns).
Diffstat (limited to 'app/src/main/java/com/zeapo')
-rw-r--r-- | app/src/main/java/com/zeapo/pwdstore/autofill/oreo/PublicSuffixListCache.kt | 15 |
1 files changed, 13 insertions, 2 deletions
diff --git a/app/src/main/java/com/zeapo/pwdstore/autofill/oreo/PublicSuffixListCache.kt b/app/src/main/java/com/zeapo/pwdstore/autofill/oreo/PublicSuffixListCache.kt index c4f80f1a..12d9a8c4 100644 --- a/app/src/main/java/com/zeapo/pwdstore/autofill/oreo/PublicSuffixListCache.kt +++ b/app/src/main/java/com/zeapo/pwdstore/autofill/oreo/PublicSuffixListCache.kt @@ -5,6 +5,7 @@ package com.zeapo.pwdstore.autofill.oreo import android.content.Context +import android.util.Patterns import kotlinx.coroutines.runBlocking import mozilla.components.lib.publicsuffixlist.PublicSuffixList @@ -34,6 +35,16 @@ fun cachePublicSuffixList(context: Context) { * the return value for valid domains. */ fun getPublicSuffixPlusOne(context: Context, domain: String) = runBlocking { - PublicSuffixListCache.getOrCachePublicSuffixList(context).getPublicSuffixPlusOne(domain) - .await() ?: domain + // We only feed valid domain names which are not IP addresses into getPublicSuffixPlusOne. + // We do not check whether the domain actually exists (actually, not even whether its TLD + // exists). As long as we restrict ourselves to syntactically valid domain names, + // getPublicSuffixPlusOne will return non-colliding results. + if (!Patterns.DOMAIN_NAME.matcher(domain).matches() || Patterns.IP_ADDRESS.matcher(domain) + .matches() + ) { + domain + } else { + PublicSuffixListCache.getOrCachePublicSuffixList(context).getPublicSuffixPlusOne(domain) + .await() ?: domain + } } |