Prevent USSD codes via Click to Call
Click to Call allows users to send a phone number from their Chrome
desktop instance to their Android phone. This number either comes from a
user's selection and sent via the context menu, or by clicking on a link
with a "tel:" href.
Sending from the context menu is gated by a regular expression and will
not allow any special characters like '#' or '*' to be contained in the
Sending link hrefs does not go through that check as we assume the link
is a valid phone number. We do call GURL::GetContent() to get the number
which should discard anything after a (and including the) '#' character.
However, we also URL-decoded the resulting string before then sending it
over to Android, where we URL-decoded it again when constructing the
Dialer intent. This allows sending double-URL-encoded USSD tel links
which will be sent straight to the Dialer on certain Android versions
and device states.
The fix here is on both desktop and Android side:
- URL-decode the number and ignore if it contains '#', '*' or '%'.
- Send the raw number (URL-encoded) to Android
- Verify that URL-decoding the received raw number is valid as above
- Show the decoded number in the notification
- Parse the raw number in Java into a Uri object for the Dialer
Together this makes sure that we only URL-decode tel: links once and
verify it on both sender and receiver side before passing it on to the
Test: updated unit_tests and browser_tests to check for conversion
Reviewed-by: Robert Kaplow <firstname.lastname@example.org>
Reviewed-by: David Jacobo <email@example.com>
Reviewed-by: Gayane Petrosyan <firstname.lastname@example.org>
Reviewed-by: Istiaque Ahmed <email@example.com>
Reviewed-by: Peter Beverloo <firstname.lastname@example.org>
Commit-Queue: Richard Knoll <email@example.com>
diff --git a/metrics/histograms/histograms_xml/sharing/histograms.xml b/metrics/histograms/histograms_xml/sharing/histograms.xml
index 0491b0a..62a740a 100644
@@ -79,6 +79,17 @@
+<histogram name="Sharing.ClickToCallPhoneNumberValid" units="BooleanValid"
+ Records if a received phone number is valid. Invalid numbers might suggest
+ that the remote device tried to send malicious data. Logged when handling a
+ Click to Call message on Android received from a Chrome desktop instance.
<histogram name="Sharing.ClickToCallSelectedAppIndex" units="index"
<!-- Name completed by histogram_suffixes name="SharingClickToCallUi" -->