Fix: Properly handle IP addresses and invalid domains in Autofill (#664)

Mozilla's getPublicSuffixPlusOne is only meant to be invoked on syntactically valid domain names. In particular, it does not give reasonable results for IP addresses. This commit ensures that the domain passed to getPublicSuffixPlusOne is syntactically valid and not an IP address (the latter is unfortunately considered a domain by the Android validation patterns).
2020-03-25 20:21:56 +01:00 · 2020-03-25 20:21:56 +01:00 · 8f722a2219
commit 8f722a2219
parent fde16c60f4
1 changed files with 13 additions and 2 deletions
--- a/app/src/main/java/com/zeapo/pwdstore/autofill/oreo/PublicSuffixListCache.kt
+++ b/app/src/main/java/com/zeapo/pwdstore/autofill/oreo/PublicSuffixListCache.kt
@ -5,6 +5,7 @@
 package com.zeapo.pwdstore.autofill.oreo

 import android.content.Context
+import android.util.Patterns
 import kotlinx.coroutines.runBlocking
 import mozilla.components.lib.publicsuffixlist.PublicSuffixList

@ -34,6 +35,16 @@ fun cachePublicSuffixList(context: Context) {
 * the return value for valid domains.
 */
 fun getPublicSuffixPlusOne(context: Context, domain: String) = runBlocking {
-    PublicSuffixListCache.getOrCachePublicSuffixList(context).getPublicSuffixPlusOne(domain)
-        .await() ?: domain
+    // We only feed valid domain names which are not IP addresses into getPublicSuffixPlusOne.
+    // We do not check whether the domain actually exists (actually, not even whether its TLD
+    // exists). As long as we restrict ourselves to syntactically valid domain names,
+    // getPublicSuffixPlusOne will return non-colliding results.
+    if (!Patterns.DOMAIN_NAME.matcher(domain).matches() || Patterns.IP_ADDRESS.matcher(domain)
+            .matches()
+    ) {
+        domain
+    } else {
+        PublicSuffixListCache.getOrCachePublicSuffixList(context).getPublicSuffixPlusOne(domain)
+            .await() ?: domain
+    }
 }