Falkon/falkonOfficial
Falkon/falkonOfficial
1
Fork 0
mirror of https://invent.kde.org/network/falkon.git synced 2024-12-20 10:46:35 +01:00
Code Releases Activity

LocationBar: Only allow whitelisted schemes to be loaded as url

Browse Source
This commit is contained in:
David Rosca 2018-01-27 12:31:39 +01:00
parent c163629f8e
commit eae11b9a9a
No known key found for this signature in database
GPG Key ID: EBC3FC294452C6D8
2 changed files with 18 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
autotests/locationbartest.cpp
View File

@ -128,7 +128,7 @@ void LocationBarTest::loadActionSearchTest()
void LocationBarTest::loadAction_kdebug389491() void LocationBarTest::loadAction_kdebug389491()
{ {
// "site:website.com searchterm" is loaded instead of searched // "site:website.com searchterm" and "link:website.com" are loaded instead of searched
SearchEngine engine; SearchEngine engine;
engine.name = "Test Engine"; engine.name = "Test Engine";
@ -143,9 +143,13 @@ void LocationBarTest::loadAction_kdebug389491()
QCOMPARE(action.type, LocationBar::LoadAction::Search); QCOMPARE(action.type, LocationBar::LoadAction::Search);
QCOMPARE(action.loadRequest.url(), QUrl("http://test/site%3Awebsite.com%20searchterm")); QCOMPARE(action.loadRequest.url(), QUrl("http://test/site%3Awebsite.com%20searchterm"));
action = LocationBar::loadAction("site:website.com?search=searchterm and another"); action = LocationBar::loadAction("link:website.com");
QCOMPARE(action.type, LocationBar::LoadAction::Search);
QCOMPARE(action.loadRequest.url(), QUrl("http://test/link%3Awebsite.com"));
action = LocationBar::loadAction("http://website.com?search=searchterm and another");
QCOMPARE(action.type, LocationBar::LoadAction::Url); QCOMPARE(action.type, LocationBar::LoadAction::Url);
QCOMPARE(action.loadRequest.url(), QUrl("site:website.com?search=searchterm and another")); QCOMPARE(action.loadRequest.url(), QUrl("http://website.com?search=searchterm and another"));
} }
FALKONTEST_MAIN(LocationBarTest) FALKONTEST_MAIN(LocationBarTest)

15
src/lib/navigation/locationbar.cpp
View File

@ -263,11 +263,18 @@ LocationBar::LoadAction LocationBar::loadAction(const QString &text)
// Otherwise load as url // Otherwise load as url
const QUrl &guessedUrl = QUrl::fromUserInput(t); const QUrl &guessedUrl = QUrl::fromUserInput(t);
if (guessedUrl.isValid()) { if (guessedUrl.isValid()) {
// We only allow space in query // Only allow spaces in query
if (!QzTools::containsSpace(guessedUrl.toString(QUrl::RemoveQuery))) { if (!QzTools::containsSpace(guessedUrl.toString(QUrl::RemoveQuery))) {
action.type = LoadAction::Url; // Only allow whitelisted schemes
action.loadRequest = guessedUrl; const QSet<QString> whitelistedSchemes = {
return action; QSL("http"), QSL("https"), QSL("ftp"), QSL("file"),
QSL("about"), QSL("qupzilla")
};
if (whitelistedSchemes.contains(guessedUrl.scheme())) {
action.type = LoadAction::Url;
action.loadRequest = guessedUrl;
return action;
}
} }
} }