From d001de09e1ced4446286e33e868b105b46c1700e Mon Sep 17 00:00:00 2001 From: Paul Miller Date: Mon, 6 Apr 2015 11:58:00 -0700 Subject: Forbid javascript- and file-scheme intents BUG:13082135 BUG:19296779 Change-Id: Ifea908b175670fbce65205797b93e87adf25bb3d --- AndroidManifest.xml | 11 ------ src/com/android/browser/IntentHandler.java | 55 +++++++++++++++++++----------- src/com/android/browser/Tab.java | 26 +------------- 3 files changed, 37 insertions(+), 55 deletions(-) diff --git a/AndroidManifest.xml b/AndroidManifest.xml index a90468b..9ea41e6 100644 --- a/AndroidManifest.xml +++ b/AndroidManifest.xml @@ -86,7 +86,6 @@ - @@ -101,16 +100,6 @@ - - - - - - - - - -

diff --git a/src/com/android/browser/IntentHandler.java b/src/com/android/browser/IntentHandler.java index 1b8dfc7..d06d34f 100644 --- a/src/com/android/browser/IntentHandler.java +++ b/src/com/android/browser/IntentHandler.java @@ -29,6 +29,7 @@ import android.os.Bundle; import android.provider.Browser; import android.provider.MediaStore; import android.text.TextUtils; +import android.util.Log; import android.util.Patterns; import com.android.browser.UI.ComboViews; @@ -37,6 +38,7 @@ import com.android.common.Search; import java.util.HashMap; import java.util.Iterator; +import java.util.Locale; import java.util.Map; /** @@ -44,6 +46,8 @@ import java.util.Map; */ public class IntentHandler { + private static final String TAG = "IntentHandler"; + // "source" parameter for Google search suggested by the browser final static String GOOGLE_SEARCH_SOURCE_SUGGEST = "browser-suggest"; // "source" parameter for Google search from unknown source @@ -51,6 +55,12 @@ public class IntentHandler { /* package */ static final UrlData EMPTY_URL_DATA = new UrlData(null); + private static final String[] SCHEME_WHITELIST = { + "http", + "https", + "about", + }; + private Activity mActivity; private Controller mController; private TabControl mTabControl; @@ -64,6 +74,12 @@ public class IntentHandler { } void onNewIntent(Intent intent) { + Uri uri = intent.getData(); + if (uri != null && isForbiddenUri(uri)) { + Log.e(TAG, "Aborting intent with forbidden uri, \"" + uri + "\""); + return; + } + Tab current = mTabControl.getCurrentTab(); // When a tab is closed on exit, the current tab index is set to -1. // Reset before proceed as Browser requires the current tab to be set. @@ -107,33 +123,18 @@ public class IntentHandler { urlData = new UrlData(mSettings.getHomePage()); } - // If url is to view private data files, don't allow. - Uri uri = intent.getData(); - if (uri != null && uri.getScheme().toLowerCase().startsWith("file") && - uri.getPath().startsWith(mActivity.getDatabasePath("foo").getParent())) { - return; - } - if (intent.getBooleanExtra(Browser.EXTRA_CREATE_NEW_TAB, false) || urlData.isPreloaded()) { Tab t = mController.openTab(urlData); return; } /* - * TODO: Don't allow javascript URIs - * 0) If this is a javascript: URI, *always* open a new tab - * 1) If the URL is already opened, switch to that tab - * 2-phone) Reuse tab with same appId - * 2-tablet) Open new tab + * If the URL is already opened, switch to that tab + * phone: Reuse tab with same appId + * tablet: Open new tab */ final String appId = intent .getStringExtra(Browser.EXTRA_APPLICATION_ID); - if (!TextUtils.isEmpty(urlData.mUrl) && - urlData.mUrl.startsWith("javascript:")) { - // Always open javascript: URIs in new tabs - mController.openTab(urlData); - return; - } if (Intent.ACTION_VIEW.equals(action) && (appId != null) && appId.startsWith(mActivity.getPackageName())) { @@ -314,8 +315,24 @@ public class IntentHandler { return true; } + private static boolean isForbiddenUri(Uri uri) { + String scheme = uri.getScheme(); + // Allow URIs with no scheme + if (scheme == null) { + return false; + } + + scheme = scheme.toLowerCase(Locale.US); + for (String allowed : SCHEME_WHITELIST) { + if (allowed.equals(scheme)) { + return false; + } + } + return true; + } + /** - * A UrlData class to abstract how the content will be set to WebView. + * A UrlData class to abstract how the content will be sent to WebView. * This base class uses loadUrl to show the content. */ static class UrlData { diff --git a/src/com/android/browser/Tab.java b/src/com/android/browser/Tab.java index dc1944e..a4d2ce0 100644 --- a/src/com/android/browser/Tab.java +++ b/src/com/android/browser/Tab.java @@ -74,9 +74,7 @@ import com.android.browser.TabControl.OnThumbnailUpdatedListener; import com.android.browser.homepages.HomeProvider; import com.android.browser.provider.SnapshotProvider.Snapshots; -import java.io.ByteArrayInputStream; import java.io.ByteArrayOutputStream; -import java.io.File; import java.io.IOException; import java.io.OutputStream; import java.nio.ByteBuffer; @@ -105,8 +103,6 @@ class Tab implements PictureListener { private static final int CAPTURE_DELAY = 100; private static final int INITIAL_PROGRESS = 5; - private static final String RESTRICTED = "not allowed"; - private static Bitmap sDefaultFavicon; private static Paint sAlphaPaint = new Paint(); @@ -609,27 +605,7 @@ class Tab implements PictureListener { @Override public WebResourceResponse shouldInterceptRequest(WebView view, String url) { - Uri uri = Uri.parse(url); - if (uri.getScheme().toLowerCase().equals("file")) { - File file = new File(uri.getPath()); - try { - if (file.getCanonicalPath().startsWith( - mContext.getApplicationContext().getApplicationInfo().dataDir)) { - return new WebResourceResponse("text/html","UTF-8", - new ByteArrayInputStream(RESTRICTED.getBytes("UTF-8"))); - } - } catch (Exception ex) { - Log.e(LOGTAG, "Bad canonical path" + ex.toString()); - try { - return new WebResourceResponse("text/html","UTF-8", - new ByteArrayInputStream(RESTRICTED.getBytes("UTF-8"))); - } catch (java.io.UnsupportedEncodingException e) { - } - } - } - WebResourceResponse res = HomeProvider.shouldInterceptRequest( - mContext, url); - return res; + return HomeProvider.shouldInterceptRequest(mContext, url); } @Override -- cgit v1.1