CB-7291: Restrict meaning of "*" in internal whitelist to just http and https

2025-01-18 22:52:54 +08:00 · 2014-08-26 14:58:00 -04:00 · 2014-08-26 14:58:00 -04:00 · 6e222c3938
commit 6e222c3938
parent 3b3bd9b6c9
1 changed files with 9 additions and 1 deletions
--- a/framework/src/org/apache/cordova/ConfigXmlParser.java
+++ b/framework/src/org/apache/cordova/ConfigXmlParser.java
@ -119,7 +119,15 @@ public class ConfigXmlParser {
                        if (external) {
                            externalWhitelist.addWhiteListEntry(origin, (subdomains != null) && (subdomains.compareToIgnoreCase("true") == 0));
                        } else {
-                            internalWhitelist.addWhiteListEntry(origin, (subdomains != null) && (subdomains.compareToIgnoreCase("true") == 0));
+                            if ("*".equals(origin)) {
+                                // Special-case * origin to mean http and https when used for internal
+                                // whitelist. This prevents external urls like sms: and geo: from being
+                                // handled internally.
+                                internalWhitelist.addWhiteListEntry("http://*/*", false);
+                                internalWhitelist.addWhiteListEntry("https://*/*", false);
+                            } else {
+                                internalWhitelist.addWhiteListEntry(origin, (subdomains != null) && (subdomains.compareToIgnoreCase("true") == 0));
+                            }
                        }
                    }
                }