Don't allow newlines in URLs, also clean up on http file transfer detection

This commit is contained in:
Marvin W 2019-12-26 15:39:12 +01:00
parent 7d1497a549
commit 4a3cef89fd
No known key found for this signature in database
GPG key ID: 072E9235DB996F2A
2 changed files with 17 additions and 14 deletions

View file

@ -5,6 +5,8 @@ using Xmpp;
namespace Dino.Ui.Util { namespace Dino.Ui.Util {
private static Regex url_regex;
private const string[] allowed_schemes = {"http", "https", "ftp", "ftps", "irc", "ircs", "xmpp", "mailto", "sms", "smsto", "mms", "tel", "geo", "openpgp4fpr", "im", "news", "nntp", "sip", "ssh", "bitcoim", "sftp", "magnet", "vnc"};
private const string[] tango_colors_light = {"FCE94F", "FCAF3E", "E9B96E", "8AE234", "729FCF", "AD7FA8", "EF2929"}; private const string[] tango_colors_light = {"FCE94F", "FCAF3E", "E9B96E", "8AE234", "729FCF", "AD7FA8", "EF2929"};
private const string[] tango_colors_medium = {"EDD400", "F57900", "C17D11", "73D216", "3465A4", "75507B", "CC0000"}; private const string[] tango_colors_medium = {"EDD400", "F57900", "C17D11", "73D216", "3465A4", "75507B", "CC0000"};
private const string[] material_colors_800 = {"D32F2F", "C2185B", "7B1FA2", "512DA8", "303F9F", "1976D2", "0288D1", "0097A7", "00796B", "388E3C", "689F38", "AFB42B", "FFA000", "F57C00", "E64A19", "5D4037"}; private const string[] material_colors_800 = {"D32F2F", "C2185B", "7B1FA2", "512DA8", "303F9F", "1976D2", "0288D1", "0097A7", "00796B", "388E3C", "689F38", "AFB42B", "FFA000", "F57C00", "E64A19", "5D4037"};
@ -246,15 +248,20 @@ public static bool is_24h_format() {
return settings_format == "24h" || p_format == " "; return settings_format == "24h" || p_format == " ";
} }
public static Regex get_url_regex() {
if (url_regex == null) {
url_regex = /\b((https?|ftps?|ircs?|xmpp|mailto|sms|smsto|mms|tel|geo|openpgp4fpr|im|news|nntp|sip|ssh|bitcoin|sftp|magnet|vnc|urn):(\/\/([^\/?#,;!)}>"'»”’\s]+)(\/([^#\s,.;!?)\]}>"'»]|[,.;!)\]}>"'»”’][^?#\s])*)?|([^\/#\s,.;!?)\]}>"'»]|[,.;!)\]}>"'»”’][^\/?#\s])*)(\?([^#\s,.;!?)\]}>"'»]|[,.;!?)\]}>"'»”’][^#\s])+)?(#([^\s,.;!?)\]}>"'»]|[,.;!?)\]}>"'»”’][^\s])+)?)/;
}
return url_regex;
}
public static string parse_add_markup(string s_, string? highlight_word, bool parse_links, bool parse_text_markup, bool already_escaped_ = false) { public static string parse_add_markup(string s_, string? highlight_word, bool parse_links, bool parse_text_markup, bool already_escaped_ = false) {
string s = s_; string s = s_;
bool already_escaped = already_escaped_; bool already_escaped = already_escaped_;
if (parse_links) { if (parse_links) {
string[] allowed_schemes = new string[] {"http", "https", "ftp", "ftps", "irc", "ircs", "xmpp", "mailto", "sms", "smsto", "mms", "tel", "geo", "openpgp4fpr", "im", "news", "nntp", "sip", "ssh", "bitcoin", "sftp", "magnet", "vnc"};
Regex url_regex = /\b((https?|ftps?|ircs?|xmpp|mailto|sms|smsto|mms|tel|geo|openpgp4fpr|im|news|nntp|sip|ssh|bitcoin|sftp|magnet|vnc):(\/\/([^\/?#,;!?)}>"'»”’ ]+)(\/([^# ,.;!?)\]}>"'»]|[,.;!)\]}>"'»”’][^?# ])*)?|([^\/# ,.;!?)\]}>"'»]|[,.;!)\]}>"'»”’][^\/?# ])*)(\?([^# ,.;!?)\]}>"'»]|[,.;!?)\]}>"'»”’][^# ])+)?(#([^ ,.;!?)\]}>"'»]|[,.;!?)\]}>"'»”’][^ ])+)?)/;
MatchInfo match_info; MatchInfo match_info;
url_regex.match(s.down(), 0, out match_info); get_url_regex().match(s.down(), 0, out match_info);
if (match_info.matches()) { if (match_info.matches()) {
int start, end; int start, end;
match_info.fetch_pos(0, out start, out end); match_info.fetch_pos(0, out start, out end);

View file

@ -10,8 +10,8 @@ public class FileProvider : Dino.FileProvider, Object {
private StreamInteractor stream_interactor; private StreamInteractor stream_interactor;
private Dino.Database dino_db; private Dino.Database dino_db;
private Regex url_regex = /^(?i)\b((?:[a-z][\w-]+:(?:\/{1,3}|[a-z0-9%])|www\d{0,3}[.]|[a-z0-9.\-]+[.][a-z]{2,4}\/)(?:[^\s()<>]+|\(([^\s()<>]+|(\([^\s()<>]+\)))*\))+(?:\(([^\s()<>]+|(\([^\s()<>]+\)))*\)|[^\s`!()\[\]{};:'".,<>?«»“”‘’]))$/; private static Regex http_url_regex = /^https?:\/\/([^\s#]*)$/; // Spaces are invalid in URLs and we can't use fragments for downloads
private Regex omemo_url_regex = /^aesgcm:\/\/(.*)#(([A-Fa-f0-9]{2}){48}|([A-Fa-f0-9]{2}){44})$/; private static Regex omemo_url_regex = /^aesgcm:\/\/(.*)#(([A-Fa-f0-9]{2}){48}|([A-Fa-f0-9]{2}){44})$/;
public FileProvider(StreamInteractor stream_interactor, Dino.Database dino_db) { public FileProvider(StreamInteractor stream_interactor, Dino.Database dino_db) {
this.stream_interactor = stream_interactor; this.stream_interactor = stream_interactor;
@ -35,16 +35,12 @@ public class FileProvider : Dino.FileProvider, Object {
} }
public override async bool run(Entities.Message message, Xmpp.MessageStanza stanza, Conversation conversation) { public override async bool run(Entities.Message message, Xmpp.MessageStanza stanza, Conversation conversation) {
if (outer.url_regex.match(message.body)) {
string? oob_url = Xmpp.Xep.OutOfBandData.get_url_from_message(stanza); string? oob_url = Xmpp.Xep.OutOfBandData.get_url_from_message(stanza);
bool normal_file = oob_url != null && oob_url == message.body && FileProvider.http_url_regex.match(message.body);
bool normal_file = oob_url != null && oob_url == message.body; bool omemo_file = FileProvider.omemo_url_regex.match(message.body);
bool omemo_file = outer.omemo_url_regex.match(message.body);
if (normal_file || omemo_file) { if (normal_file || omemo_file) {
yield outer.on_file_message(message, conversation); yield outer.on_file_message(message, conversation);
} }
}
return false; return false;
} }
} }