nicolassmith / urlevaluator Goto Github PK

Hi,

The intent filters specify list of known hosts. But in UrlEvaluatorActivity activity, the URL is not checked if it is really out the lists specified in the manifest file. This can be used maliciously as follows:

A malicious app can send an explicit intent to the app. Because this app does not check if it is one of those possible short URLs, it tries to connect to the passed URL. The URL is hosted on a domain that is controlled by the attacker. Therefore the malicious server sets Content-Location part of the header with a URL containing encoded part of a malware binary (e.g., myprotocl://abc.com/content=123FE435...). The app extracts this location and tries to create a new intent with VIEW action. If the malicious app has an intent filter with any host (host=""), scheme="myscheme" and pathPattern="/content=.", then it will receive the malware content. If the size does not permit, it can perform several similar queries to collect the parts of the malware.

Can you confirm this possible vulnerability, please?

Do we need to?

nyr.kr

Could possibly be useful to have an activity that makes a bunch of intents based on some test short urls to make sure that changes don't break things.

I stumbled upon a tweet today that uses https to link to t.co: https://twitter.com/tbroyer/status/296945836796035072

for.tn

https://t.co/XaPL1AbCm5

www.dpbolvw.net

Just clicked through a j.mp link that urlevaluator didn't detect: https://twitter.com/typekit/status/312283964322746368 (it resolved the t.co but then displayed evaluated as <the j.mp URL> and opened a browser (or in my case, showed the chooser to select a browser, no Short URL Evaluator in the list)

redd.it
Because I don't value my time.

http://tinyurl.com/ow8c8gk

Could you please support URL redirects like the ones used in Facebook (app and web):

http://m.facebook.com/l.php?u=http%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3D6EljX5-Wgbo&h=hAQFjcT-z&s=1&enc=AZNtxdfNetPkrqslmByHfyWQe6ZvDJ-ZR0m63nKa2Gr0NkgkcCDos-Np8JPmtNXVG68

They seem to follow the structure:
http(s)://(m.)facebook.com/l.php?u=[URL]&[JUNK]

This is not a short URL, and it works quite differently, nonetheless it produces the same kind of annoyances.

The problem is as follows:

1. tinyurl (and potentially others) always has more than one redirect (first a 301 redirect, and then a javascript redirect) before going to the intended destination.
2. Thus I made the MultipleRedirectEvaluatorTask class, so that we only return the url once we go all the way down the rabbit hole.
3. But some websites (yelp.com) have a redirect (of type 303) that point to the mobile site, which is not the real intended destination.

Possible solutions:

1. Fake the user agent (what does the android HttpConnection use?) to hide that we are a mobile device, thus preventing mobile redirect. However, when I tried this, this broke t.co links (they responded with 200 OK and no redirect, I still don't understand why this happened).
2. Don't use MultipleRedirect at all, just let an intent get thrown at each step of the way. Slightly ugly and annoying, but possibly more robust.
3. Only follow certain types of redirects (ie only 301, not 303) this is the current solution, but what happens if there is a redirector service that does use 303? It seems that some (youtu.be) use 302. Are we safe to redirect on everything except 303?
4. In the case of tinyurl, we know that there are 2 redirects, should we just keep track of how many redirects we expect, and only go to that depth before returning? This seems robust but requires more maintenance.

http://www.kqzyfj.com

Now that the multiple redirect class is fairly robust I was thinking of making t.co use it due to the fact that those are often multiple redirects.

Alternatively we could make the multiple redirect class be the default one. Thoughts?

http://developer.android.com/guide/topics/manifest/data-element.html

Some Evaluator classes just grab the url from the query string. It is possible to make the intent filter only match when such a query string exists, instead of just relying on the URL host.

Before I start contributing, I'd like to know which license you chose for the project? Apache 2.0, Public Domain, MIT, BSD, GPL?

AV club

http://youtu.be/I4cSVnqGmOc

Probably my silly 301 filter

nym.ag

1:56 PM Leo: bork bork bork
something is borked in urlevaluator
i hvaen't debugged it
1:57 PM but i imagine it has something to do with HEAD requests not working out?
i should look into it
7 minutes
2:04 PM me: can you email me a url that is borked?
Leo: lemme see
2:06 PM check this one ...
http://ow.ly/kxPwZ
2:07 PM except i'm not sure if that is the actual URL
because on twitter sometimes people tweet short URLs and twitter reshortens them, stupidly
2:08 PM also
http://qr.ae/TEhXB
5 minutes
2:13 PM me: yes, i get errors on those
but i can't debug right now
2:14 PM Leo: no prob bob
do you send any request headers?
2:15 PM it looks like ow.ly requires a Host:ow.ly request header
i tried this with telnet by hand :P
old school, yo
if I leave off that header, it gives a 503. If I give just that one header, I get a 301 Moved
2:17 PM me: did owly work before we made request("HEAD")?
2:18 PM Leo: yeah
me: hmmm
Leo: oh maybe? idk
i wsa just assuming
ass u me
me: can you open an issue and put this info in it
Leo: haha good idea

bloom.bg

oxford.ly
This is dumb, the domain name is longer than oed.com. nonetheless, this is a dedicated shortening service

t.co seems to give infinite redirect loops. This basically makes Twitter unusable. I'm traveling tomorrow to a conference so won't have a chance to investigate further until a week from now.

It's short for quitter.se, micro blogging effort.

Economist

Google Now and news apps use this URL form which all opens in the browser. It would be nice if these were caught, evaluated, and send to the correct apps.

http://bit.ly/WAsm1B

Happened with this http://tinyurl.com/8wufanv

But only sometimes!