Don't open passport links from inside the app.

They contain secret payload that should not be known to Telegram.
2018-08-14 09:49:14 +03:00 · 2018-08-14 09:49:14 +03:00 · cb827406ca
parent 36fcf2c60e
commit cb827406ca
2 changed files with 29 additions and 31 deletions
--- a/Telegram/Resources/langs/lang.strings
+++ b/Telegram/Resources/langs/lang.strings
@ -1043,7 +1043,6 @@ https://github.com/telegramdesktop/tdesktop/blob/master/LEGAL
 "lng_open_this_link" = "Open this link?";
 "lng_open_link" = "Open";
 "lng_open_passport_link" = "Open this Telegram Passport authorization?";
 "lng_allow_bot_pass" = "Allow {bot_name} to pass your Telegram name and ID to the web pages you open via this bot?";
 "lng_allow_bot" = "Allow";
--- a/Telegram/SourceFiles/core/click_handler_types.cpp
+++ b/Telegram/SourceFiles/core/click_handler_types.cpp
@ -23,7 +23,9 @@ https://github.com/telegramdesktop/tdesktop/blob/master/LEGAL
 namespace {
 QString tryConvertUrlToLocal(QString url) {
-	if (url.size() > 8192) url = url.mid(0, 8192);
+	if (url.size() > 8192) {
 		url = url.mid(0, 8192);
 	}
 	using namespace qthelp;
 	auto matchOptions = RegExOption::CaseInsensitive;
@ -105,18 +107,17 @@ QString UrlClickHandler::url() const {
 }
 void UrlClickHandler::Open(QString url, QVariant context) {
-	Ui::Tooltip::Hide();
+	url = tryConvertUrlToLocal(url);
-
+	if (InternalPassportLink(url)) {
 	if (isEmail(url)) {
 		File::OpenEmailLink(url);
 		return;
 	}
-	url = tryConvertUrlToLocal(url);
+	Ui::Tooltip::Hide();
-
+	if (isEmail(url)) {
-	if (url.startsWith(qstr("tg://"), Qt::CaseInsensitive)) {
+		File::OpenEmailLink(url);
 	} else if (url.startsWith(qstr("tg://"), Qt::CaseInsensitive)) {
 		Messenger::Instance().openLocalUrl(url, context);
-	} else {
+	} else if (!url.isEmpty()) {
 		QDesktopServices::openUrl(url);
 	}
 }
@ -142,27 +143,22 @@ TextWithEntities UrlClickHandler::getExpandedLinkTextWithEntities(ExpandLinksMod
 }
 void HiddenUrlClickHandler::Open(QString url, QVariant context) {
-	auto urlText = tryConvertUrlToLocal(url);
+	url = tryConvertUrlToLocal(url);
 	if (InternalPassportLink(url)) {
 		return;
 	}
 	const auto open = [=] {
-		UrlClickHandler::Open(urlText, context);
+		UrlClickHandler::Open(url, context);
 	};
-	if (urlText.startsWith(qstr("tg://"), Qt::CaseInsensitive)) {
+	if (url.startsWith(qstr("tg://"), Qt::CaseInsensitive)) {
-		if (InternalPassportLink(urlText)) {
+		open();
 			Ui::show(
 				Box<ConfirmBox>(
 					lang(lng_open_passport_link),
 					lang(lng_open_link),
 					[=] { Ui::hideLayer(); open(); }),
 				LayerOption::KeepOther);
 		} else {
 			open();
 		}
 	} else {
-		auto parsedUrl = QUrl::fromUserInput(urlText);
+		const auto parsedUrl = QUrl::fromUserInput(url);
-		if (UrlRequiresConfirmation(urlText)) {
+		if (UrlRequiresConfirmation(url)) {
-			auto displayUrl = parsedUrl.isValid()
+			const auto displayUrl = parsedUrl.isValid()
 				? parsedUrl.toDisplayString()
-				: urlText;
+				: url;
 			Ui::show(
 				Box<ConfirmBox>(
 					lang(lng_open_this_link) + qsl("\n\n") + displayUrl,
@ -176,13 +172,16 @@ void HiddenUrlClickHandler::Open(QString url, QVariant context) {
 }
 void BotGameUrlClickHandler::onClick(ClickContext context) const {
-	auto urlText = tryConvertUrlToLocal(url());
+	const auto url = tryConvertUrlToLocal(this->url());
 	if (InternalPassportLink(url)) {
 		return;
 	}
 	const auto open = [=] {
-		UrlClickHandler::Open(urlText, context.other);
+		UrlClickHandler::Open(url, context.other);
 	};
-	if (urlText.startsWith(qstr("tg://"), Qt::CaseInsensitive)) {
+	if (url.startsWith(qstr("tg://"), Qt::CaseInsensitive)) {
-		Messenger::Instance().openLocalUrl(urlText, context.other);
+		open();
 	} else if (!_bot || _bot->isVerified() || Local::isBotTrusted(_bot)) {
 		open();
 	} else {