Prevent USSD codes via Click to Call
Click to Call allows users to send a phone number from their Chrome
desktop instance to their Android phone. This number either comes from a
user's selection and sent via the context menu, or by clicking on a link
with a "tel:" href.
Sending from the context menu is gated by a regular expression and will
not allow any special characters like '#' or '*' to be contained in the
phone number.
Sending link hrefs does not go through that check as we assume the link
is a valid phone number. We do call GURL::GetContent() to get the number
which should discard anything after a (and including the) '#' character.
However, we also URL-decoded the resulting string before then sending it
over to Android, where we URL-decoded it again when constructing the
Dialer intent. This allows sending double-URL-encoded USSD tel links
which will be sent straight to the Dialer on certain Android versions
and device states.
The fix here is on both desktop and Android side:
Desktop:
- URL-decode the number and ignore if it contains '#', '*' or '%'.
- Send the raw number (URL-encoded) to Android
Android:
- Verify that URL-decoding the received raw number is valid as above
- Show the decoded number in the notification
- Parse the raw number in Java into a Uri object for the Dialer
Together this makes sure that we only URL-decode tel: links once and
verify it on both sender and receiver side before passing it on to the
Android Dialer.
Bug: 1180510
Test: updated unit_tests and browser_tests to check for conversion
Change-Id: Idf380b629cdf00155ecab054398af69f37ec2ef9
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2825704
Reviewed-by: Robert Kaplow <rkaplow@chromium.org>
Reviewed-by: David Jacobo <djacobo@chromium.org>
Reviewed-by: Gayane Petrosyan <gayane@chromium.org>
Reviewed-by: Istiaque Ahmed <lazyboy@chromium.org>
Reviewed-by: Peter Beverloo <peter@chromium.org>
Commit-Queue: Richard Knoll <knollr@chromium.org>
Cr-Commit-Position: refs/heads/master@{#875572}
GitOrigin-RevId: e041be8dc8b5b9e3012e752c2636fcf1cd8b0b1d
diff --git a/metrics/histograms/histograms_xml/sharing/histograms.xml b/metrics/histograms/histograms_xml/sharing/histograms.xml
index 0491b0a..62a740a 100644
--- a/metrics/histograms/histograms_xml/sharing/histograms.xml
+++ b/metrics/histograms/histograms_xml/sharing/histograms.xml
@@ -79,6 +79,17 @@
</summary>
</histogram>
+<histogram name="Sharing.ClickToCallPhoneNumberValid" units="BooleanValid"
+ expires_after="M95">
+ <owner>knollr@chromium.org</owner>
+ <owner>peter@chromium.org</owner>
+ <summary>
+ Records if a received phone number is valid. Invalid numbers might suggest
+ that the remote device tried to send malicious data. Logged when handling a
+ Click to Call message on Android received from a Chrome desktop instance.
+ </summary>
+</histogram>
+
<histogram name="Sharing.ClickToCallSelectedAppIndex" units="index"
expires_after="2021-08-22">
<!-- Name completed by histogram_suffixes name="SharingClickToCallUi" -->