aboutsummaryrefslogtreecommitdiff
path: root/app/src/main
diff options
context:
space:
mode:
authorFabian Henneke <FabianHenneke@users.noreply.github.com>2020-03-25 20:21:56 +0100
committerGitHub <noreply@github.com>2020-03-25 20:21:56 +0100
commit8f722a2219f7a3cc74aa79ac29832d223fd20cad (patch)
treeb50c3f313605ea140d5bd2b862c5ab897ddcc0ac /app/src/main
parentfde16c60f4ce5d57a0c7d5a0186dcd532a23f0f0 (diff)
Fix: Properly handle IP addresses and invalid domains in Autofill (#664)
Mozilla's getPublicSuffixPlusOne is only meant to be invoked on syntactically valid domain names. In particular, it does not give reasonable results for IP addresses. This commit ensures that the domain passed to getPublicSuffixPlusOne is syntactically valid and not an IP address (the latter is unfortunately considered a domain by the Android validation patterns).
Diffstat (limited to 'app/src/main')
-rw-r--r--app/src/main/java/com/zeapo/pwdstore/autofill/oreo/PublicSuffixListCache.kt15
1 files changed, 13 insertions, 2 deletions
diff --git a/app/src/main/java/com/zeapo/pwdstore/autofill/oreo/PublicSuffixListCache.kt b/app/src/main/java/com/zeapo/pwdstore/autofill/oreo/PublicSuffixListCache.kt
index c4f80f1a..12d9a8c4 100644
--- a/app/src/main/java/com/zeapo/pwdstore/autofill/oreo/PublicSuffixListCache.kt
+++ b/app/src/main/java/com/zeapo/pwdstore/autofill/oreo/PublicSuffixListCache.kt
@@ -5,6 +5,7 @@
package com.zeapo.pwdstore.autofill.oreo
import android.content.Context
+import android.util.Patterns
import kotlinx.coroutines.runBlocking
import mozilla.components.lib.publicsuffixlist.PublicSuffixList
@@ -34,6 +35,16 @@ fun cachePublicSuffixList(context: Context) {
* the return value for valid domains.
*/
fun getPublicSuffixPlusOne(context: Context, domain: String) = runBlocking {
- PublicSuffixListCache.getOrCachePublicSuffixList(context).getPublicSuffixPlusOne(domain)
- .await() ?: domain
+ // We only feed valid domain names which are not IP addresses into getPublicSuffixPlusOne.
+ // We do not check whether the domain actually exists (actually, not even whether its TLD
+ // exists). As long as we restrict ourselves to syntactically valid domain names,
+ // getPublicSuffixPlusOne will return non-colliding results.
+ if (!Patterns.DOMAIN_NAME.matcher(domain).matches() || Patterns.IP_ADDRESS.matcher(domain)
+ .matches()
+ ) {
+ domain
+ } else {
+ PublicSuffixListCache.getOrCachePublicSuffixList(context).getPublicSuffixPlusOne(domain)
+ .await() ?: domain
+ }
}