From 36ca96ed4ef0e4f63e6925ea8d6e8b7925473fea Mon Sep 17 00:00:00 2001
From: Kitsune Ral <Kitsune-Ral@users.sf.net>
Date: Wed, 24 Jan 2018 16:40:04 +0900
Subject: Avatar: Only allow mxc:// links for avatars

Otherwise an attempt to use a possibly insecure link goes to Connection::getThumbnail(), leading to an assertion failure in splitMediaId(). See also the discussion in QMatrixClient/Quaternion#265.
---
 avatar.cpp | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/avatar.cpp b/avatar.cpp
index a13507fb..d3e9cd29 100644
--- a/avatar.cpp
+++ b/avatar.cpp
@@ -113,6 +113,13 @@ bool Avatar::updateUrl(const QUrl& newUrl)
     if (newUrl == d->_url)
         return false;
 
+    // FIXME: Make it a library-wide constant and maybe even make the URL checker
+    // a Connection(?) method.
+    if (newUrl.scheme() != "mxc://"  || newUrl.path().count('/') != 2)
+    {
+        qCWarning(MAIN) << "Malformed avatar URL:" << newUrl.toDisplayString();
+        return false;
+    }
     d->_url = newUrl;
     d->_valid = false;
     return true;
-- 
cgit v1.2.3