From 8f722a2219f7a3cc74aa79ac29832d223fd20cad Mon Sep 17 00:00:00 2001 From: Fabian Henneke Date: Wed, 25 Mar 2020 20:21:56 +0100 Subject: Fix: Properly handle IP addresses and invalid domains in Autofill (#664) Mozilla's getPublicSuffixPlusOne is only meant to be invoked on syntactically valid domain names. In particular, it does not give reasonable results for IP addresses. This commit ensures that the domain passed to getPublicSuffixPlusOne is syntactically valid and not an IP address (the latter is unfortunately considered a domain by the Android validation patterns). --- .../zeapo/pwdstore/autofill/oreo/PublicSuffixListCache.kt | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/app/src/main/java/com/zeapo/pwdstore/autofill/oreo/PublicSuffixListCache.kt b/app/src/main/java/com/zeapo/pwdstore/autofill/oreo/PublicSuffixListCache.kt index c4f80f1a..12d9a8c4 100644 --- a/app/src/main/java/com/zeapo/pwdstore/autofill/oreo/PublicSuffixListCache.kt +++ b/app/src/main/java/com/zeapo/pwdstore/autofill/oreo/PublicSuffixListCache.kt @@ -5,6 +5,7 @@ package com.zeapo.pwdstore.autofill.oreo import android.content.Context +import android.util.Patterns import kotlinx.coroutines.runBlocking import mozilla.components.lib.publicsuffixlist.PublicSuffixList @@ -34,6 +35,16 @@ fun cachePublicSuffixList(context: Context) { * the return value for valid domains. */ fun getPublicSuffixPlusOne(context: Context, domain: String) = runBlocking { - PublicSuffixListCache.getOrCachePublicSuffixList(context).getPublicSuffixPlusOne(domain) - .await() ?: domain + // We only feed valid domain names which are not IP addresses into getPublicSuffixPlusOne. + // We do not check whether the domain actually exists (actually, not even whether its TLD + // exists). As long as we restrict ourselves to syntactically valid domain names, + // getPublicSuffixPlusOne will return non-colliding results. + if (!Patterns.DOMAIN_NAME.matcher(domain).matches() || Patterns.IP_ADDRESS.matcher(domain) + .matches() + ) { + domain + } else { + PublicSuffixListCache.getOrCachePublicSuffixList(context).getPublicSuffixPlusOne(domain) + .await() ?: domain + } } -- cgit v1.2.3