From 255527cc2376ff3e7e5e825ffde30b91e510b1aa Mon Sep 17 00:00:00 2001
From: ansuz <ansuz@transitiontech.ca>
Date: Fri, 11 Dec 2020 17:48:15 +0530
Subject: [PATCH] reject protocol-relative URLs in 'parsePadURL'

---
 www/assert/main.js        | 12 +++++++++---
 www/common/common-hash.js |  2 +-
 2 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/www/assert/main.js b/www/assert/main.js
index c29b3bfa3..a467bfc67 100644
--- a/www/assert/main.js
+++ b/www/assert/main.js
@@ -334,6 +334,12 @@ define([
             !secret.hashData.present);
     }, "test support for ugly tracking query paramaters in url");
 
+    assert(function (cb) {
+        var url = '//cryptpad.fr/pad/#/2/pad/edit/oRE0oLCtEXusRDyin7GyLGcS/';
+        var parsed = Hash.isValidHref(url);
+        cb(!parsed);
+    }, "test that protocol relative URLs are rejected");
+
     assert(function (cb) {
         var keys = Block.genkeys(Nacl.randomBytes(64));
         var hash = Block.getBlockHash(keys);
@@ -349,7 +355,7 @@ define([
         var v3 = Hash.isValidHref('/pad');
         var v4 = Hash.isValidHref('/pad/');
 
-        var res = v1 && v2 && v3 && v4;
+        var res = Boolean(v1 && v2 && v3 && v4);
         cb(res);
         if (!res) {
             console.log(v1, v2, v3, v4);
@@ -361,7 +367,7 @@ define([
         var v3 = Hash.isValidHref('/pad#'); // Invalid
         var v4 = Hash.isValidHref('/pad/#');
 
-        var res = v1 && v2 && v3 && v4;
+        var res = Boolean(v1 && v2 && v3 && v4);
         cb(res);
         if (!res) {
             console.log(v1, v2, v3, v4);
@@ -373,7 +379,7 @@ define([
         var v3 = Hash.isValidHref('https://cryptpad.fr/pad/#67b8385b07352be53e40746d2be6ccd7XAYSuJYYqa9NfmInyHci7LNy');
         var v4 = Hash.isValidHref('/pad/#/2/pad/edit/HGu0tK2od-2BBnwAz2ZNS-t4/p/embed');
 
-        var res = v1 && v2 && v3 && v4;
+        var res = Boolean(v1 && v2 && v3 && v4);
         cb(res);
         if (!res) {
             console.log(v1, v2, v3, v4);
diff --git a/www/common/common-hash.js b/www/common/common-hash.js
index c5133fae0..afdecbf57 100644
--- a/www/common/common-hash.js
+++ b/www/common/common-hash.js
@@ -465,7 +465,7 @@ Version 4: Data URL when not a realtime link yet (new pad or "static" app)
 
         if (!/^https*:\/\//.test(href)) {
             // If it doesn't start with http(s), it should be a relative href
-            if (!/^\//.test(href)) { return ret; } // XXX this will allow protocol relative URLs
+            if (!/^\/($|[^\/])/.test(href)) { return ret; }
             idx = href.indexOf('/#');
             ret.type = href.slice(1, idx);
             if (idx === -1) { return ret; }