Avatar: Only allow mxc:// links for avatars

Otherwise an attempt to use a possibly insecure link goes to Connection::getThumbnail(), leading to an assertion failure in splitMediaId(). See also the discussion in QMatrixClient/Quaternion#265.
author: Kitsune Ral <Kitsune-Ral@users.sf.net> 2018-01-24 16:40:04 +0900
committer: Kitsune Ral <Kitsune-Ral@users.sf.net> 2018-01-24 16:40:04 +0900
commit: 36ca96ed4ef0e4f63e6925ea8d6e8b7925473fea (patch)
tree: fb220bbf42b391c32da55a17954349044c94053e
parent: b9b2d97e83ac14798c220d6f6dc4ead1809a9cf7 (diff)
download: libquotient-36ca96ed4ef0e4f63e6925ea8d6e8b7925473fea.tar.gz
libquotient-36ca96ed4ef0e4f63e6925ea8d6e8b7925473fea.zip
1 files changed, 7 insertions, 0 deletions
diff --git a/avatar.cpp b/avatar.cpp
index a13507fb..d3e9cd29 100644
--- a/avatar.cpp
+++ b/avatar.cpp
@@ -113,6 +113,13 @@ bool Avatar::updateUrl(const QUrl& newUrl)
     if (newUrl == d->_url)
         return false;
 
+    // FIXME: Make it a library-wide constant and maybe even make the URL checker
+    // a Connection(?) method.
+    if (newUrl.scheme() != "mxc://"  || newUrl.path().count('/') != 2)
+    {
+        qCWarning(MAIN) << "Malformed avatar URL:" << newUrl.toDisplayString();
+        return false;
+    }
     d->_url = newUrl;
     d->_valid = false;
     return true;
author	Kitsune Ral <Kitsune-Ral@users.sf.net>	2018-01-24 16:40:04 +0900
committer	Kitsune Ral <Kitsune-Ral@users.sf.net>	2018-01-24 16:40:04 +0900
commit	36ca96ed4ef0e4f63e6925ea8d6e8b7925473fea (patch)
tree	fb220bbf42b391c32da55a17954349044c94053e
parent	b9b2d97e83ac14798c220d6f6dc4ead1809a9cf7 (diff)
download	libquotient-36ca96ed4ef0e4f63e6925ea8d6e8b7925473fea.tar.gz libquotient-36ca96ed4ef0e4f63e6925ea8d6e8b7925473fea.zip