Fix correct favicon downloading #719
Conversation
src/gui/EditWidgetIcons.cpp
Outdated
| resetFaviconDownload(); | ||
| MessageBox::warning(this, tr("Error"), tr("Unable to fetch favicon.")); | ||
| } else { | ||
| m_url = m_url.replace("https","http"); |
There was a problem hiding this comment.
does this work on this url?
https://https.com/https/https.https
There was a problem hiding this comment.
I was actually trying to fix this as well and I used QRegExp on the URL by matching this: (https?://.+)$ it would pick the last URL, even match cmd://firefox https://https.com/https/https.https properly.
There was a problem hiding this comment.
@TheZ3ro don't know if it would be an ok workaround but if a fully qualified URL can't be found it would fall back into pulling a string that looks like a consistent domain name from the end of the string?
Quite many "fallbacks" required to support all kinds of scenarios.
src/core/Entry.cpp
Outdated
|
|
||
| QString Entry::resolveUrl(const QString& url) const | ||
| { | ||
| QStringList parts = url.toLower().split("://"); |
There was a problem hiding this comment.
Maybe it would be better to use QUrl to parse the url and get the scheme
There was a problem hiding this comment.
I was thinking about that as well, the problem here is that when passing to a QUrl an url like www.google.com this is the result:
qDebug() << url.scheme() << url.host() << url.url();
# "" "" "www.google.com"
url.setScheme("https");
qDebug() << url.scheme() << url.host() << url.url();
# "https" "" "https:www.google.com"
Not really what I was expecting.
There was a problem hiding this comment.
What happens if you ensure that the string ends with a slash if it doesn't contain any already?
There was a problem hiding this comment.
And also, passing to QUrl an url like cmd://firefox www.google.com result in:
qDebug() << uurl.scheme() << uurl.host() << uurl.url();
# "cmd" "" ""
src/gui/EditWidgetIcons.cpp
Outdated
| resetFaviconDownload(); | ||
| MessageBox::warning(this, tr("Error"), tr("Unable to fetch favicon.")); | ||
| } else { | ||
| m_url = m_url.replace(0, 5, "http"); |
There was a problem hiding this comment.
You should change the scheme using QUrl::setScheme()
TheZ3ro
force-pushed
the
fix/improveDownloadFavicon
branch
3 times, most recently
from
552b08b to
68c4af6
Compare
|
@phoerious @weslly I've rebased and pushed a new commit that use |
src/core/Entry.cpp
Outdated
| if(uurl.scheme() == "cmd") { | ||
| // URL is a cmd, hopefully the second argument it's an URL | ||
| QStringList cmd = newurl.split(" "); | ||
| return resolveUrl(cmd[1].remove("'").remove("\"")); |
There was a problem hiding this comment.
Need to check if there actually is a second element here.
src/core/Entry.cpp
Outdated
| } | ||
| QUrl uurl = QUrl(newurl); | ||
|
|
||
| if(uurl.scheme() == "cmd") { |
src/core/Entry.cpp
Outdated
| QUrl uurl = QUrl(newurl); | ||
|
|
||
| if(uurl.scheme() == "cmd") { | ||
| // URL is a cmd, hopefully the second argument it's an URL |
src/core/Entry.cpp
Outdated
| QString newurl = url; | ||
| if (!url.contains("://")) { | ||
| // URL doesn't have a protocol, add https by default | ||
| newurl.prepend("https://"); |
There was a problem hiding this comment.
I'm not really sure if we should fallback to https instead of http when the url doesn't have a scheme. While it would be fine for most big sites like google or facebook, it could return a 404 on older sites that don't support SSL. I don't think this would be a security issue since we aren't really submitting any data to the site, just a request for the favicon
There was a problem hiding this comment.
This will add https by default to every webUrl. The the webUrl is used for favicon downloading and for the KeePassHTTP protocol atm.
When downloading the favicon if the connection timeout or has an error, the protocol is downgraded to http.
You can test it with a website like www.stealmylogin.com that doesn't has https enabled
src/gui/EditWidgetIcons.cpp
Outdated
| QUrl tempurl = QUrl(m_url); | ||
| if (tempurl.scheme() == "http") { | ||
| resetFaviconDownload(); | ||
| MessageBox::warning(this, tr("Error"), tr("Unable to fetch favicon.")); |
There was a problem hiding this comment.
Maybe add a hint here to enable Google fallback when it's off. Something along the lines of "Hint: You can enable Google as a fallback under Tools/Settings/Security."
src/gui/EditWidgetIcons.cpp
Outdated
| @@ -235,7 +242,7 @@ void EditWidgetIcons::fetchFaviconFromGoogle(const QString& domain) | |||
| if (config()->get("security/IconDownloadFallbackToGoogle", false).toBool() && m_fallbackToGoogle) { | |||
| resetFaviconDownload(); | |||
| m_fallbackToGoogle = false; | |||
| fetchFavicon(QUrl("http://www.google.com/s2/favicons?domain=" + domain)); | |||
| fetchFavicon(QUrl("https://www.google.com/s2/favicons?domain=" + domain)); | |||
There was a problem hiding this comment.
Since you're already at it, you should properly escape the domain name. See #731.
src/core/Entry.cpp
Outdated
| QString Entry::resolveUrl(const QString& url) const | ||
| { | ||
| #ifdef WITH_XC_HTTP | ||
| QString newurl = url; |
TheZ3ro
force-pushed
the
fix/improveDownloadFavicon
branch
3 times, most recently
from
e70b3fd to
9a9b4ef
Compare
|
I should have fixed all the problems @louib @phoerious Punycode hostname are still a problem due to this #731 (comment) |
|
@phoerious can you take a look at this? |
src/gui/EditWidgetIcons.cpp
Outdated
| @@ -235,7 +243,9 @@ void EditWidgetIcons::fetchFaviconFromGoogle(const QString& domain) | |||
| if (config()->get("security/IconDownloadFallbackToGoogle", false).toBool() && m_fallbackToGoogle) { | |||
| resetFaviconDownload(); | |||
| m_fallbackToGoogle = false; | |||
| fetchFavicon(QUrl("http://www.google.com/s2/favicons?domain=" + domain)); | |||
| QUrl faviconUrl = QUrl("https://www.google.com/s2/favicons"); | |||
| faviconUrl.setQuery("domain=" + domain); | |||
There was a problem hiding this comment.
This is not going to escape domain properly.
|
@phoerious now it's explicitly percent encoded |
|
Why don't you use QUrlQuery like I suggested in GH-731?
You shouldn't have to know how to construct and escape a URL query string
On Mon, Jul 17, 2017 at 12:53 PM TheZ3ro ***@***.***> wrote:
@phoerious <https://github.com/phoerious> now it's explicitly percent
encoded
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#719 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AA0hEk9X97hE1mzrN6Zj99Mhuu2IHMGRks5sO7vMgaJpZM4OJshY>
.
--
Ryan Lopopolo
https://hyperbo.la
|
|
@lopopolo Using From QT documentation of
Also Punycode domain are still a problem since Hope this clarifies the situation |
|
This relies on a lot of implicit behavior (tolerant parsing mode?). I had to go source diving to verify that the two code paths are equivalent because the docs are unintelligible. I think the python zen of "explicit is better than implicit" applies here. |
|
@lopopolo I agree, documentation for this is pretty bad |
TheZ3ro
force-pushed
the
fix/improveDownloadFavicon
branch
from
5bba56f to
a7eabbb
Compare
|
Rebased on top of current 2.2.1 |
- Corrected multiple snap issues [#934, #1011] - Corrected multiple custom icon issues [#708, #719, #994] - Corrected multiple Yubikey issues [#880] - Fixed single instance preventing load on occasion [#997] - Keep entry history when merging databases [#970] - Prevent data loss if passwords were mismatched [#1007] - Fixed crash after merge [#941] - Added configurable auto-type default delay [#703] - Unlock database dialog window comes to front [#663] - Translation and compiling fixes
Description
The user provided URL field can contain various protocol URL other than
httpandhttps(likecmd,ftp,sftp, etc)This PR adds an entry method called
webUrlthat takes the url field, checks if it's web-friendly (check if the protocol ishttporhttps, addshttpsby default if the protocol is missing, tries to extract the url fromcmdprotocol, ...)The
webUrlis then used for downloadingFavicon and for the KeePassHTTP protocol.If the website don't support
https, the request will timeout so we need to retry underhttpThis fixes #238 and #240
How has this been tested?
Writing tests for this is pretty painful.
I've tested this manually with the following url:
www.google.comurl without protocol -> fetch icon forhttps://www.google.comwww.stealmylogin.comurl without protocol, website without https -> checks thehttpsfavicon but fails for timeout and then fetch icon for thehttpversioncmd://firefox www.google.comcmd with url as first command argument -> fetch icon forhttps://www.google.comcmd://firefox "http://no-favicon.com/"cmd with url inside quote, unavailable website -> reportUnable to fetch faviconftp://8.8.8.8ftp protocol -> favicon download button is hidden.If someone wants to try to write tests for this, I would be very happy 😄
Types of changes
Checklist:
-DWITH_ASAN=ON. [REQUIRED]