Prevent USSD codes via Click to Call
Click to Call allows users to send a phone number from their Chrome
desktop instance to their Android phone. This number either comes from a
user's selection and sent via the context menu, or by clicking on a link
with a "tel:" href.
Sending from the context menu is gated by a regular expression and will
not allow any special characters like '#' or '*' to be contained in the
Sending link hrefs does not go through that check as we assume the link
is a valid phone number. We do call GURL::GetContent() to get the number
which should discard anything after a (and including the) '#' character.
However, we also URL-decoded the resulting string before then sending it
over to Android, where we URL-decoded it again when constructing the
Dialer intent. This allows sending double-URL-encoded USSD tel links
which will be sent straight to the Dialer on certain Android versions
and device states.
The fix here is on both desktop and Android side:
- URL-decode the number and ignore if it contains '#', '*' or '%'.
- Send the raw number (URL-encoded) to Android
- Verify that URL-decoding the received raw number is valid as above
- Show the decoded number in the notification
- Parse the raw number in Java into a Uri object for the Dialer
Together this makes sure that we only URL-decode tel: links once and
verify it on both sender and receiver side before passing it on to the
Test: updated unit_tests and browser_tests to check for conversion
Reviewed-by: Robert Kaplow <email@example.com>
Reviewed-by: David Jacobo <firstname.lastname@example.org>
Reviewed-by: Gayane Petrosyan <email@example.com>
Reviewed-by: Istiaque Ahmed <firstname.lastname@example.org>
Reviewed-by: Peter Beverloo <email@example.com>
Commit-Queue: Richard Knoll <firstname.lastname@example.org>
1 file changed