From 8729b9f403c0049db55a3e16ae9e73bf0f856921 Mon Sep 17 00:00:00 2001 From: Alexander Krotov Date: Tue, 28 Jul 2020 00:11:39 +0300 Subject: [PATCH] Allow http scheme for DCACCOUNT URLs It presents no security issue, because properly configured servers will only serve passwords on HTTPS and distribute only HTTPS QR codes, but makes testing easier when HTTPS is not easy to deploy. If attacker can control the URL used, they can change the URL to another HTTPS URL controlled by them and act as a proxy between the client and original server anyway. --- src/qr.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/qr.rs b/src/qr.rs index 962c27f84..c2ece6dc8 100644 --- a/src/qr.rs +++ b/src/qr.rs @@ -195,7 +195,7 @@ fn decode_account(_context: &Context, qr: &str) -> Lot { let mut lot = Lot::new(); if let Ok(url) = url::Url::parse(payload) { - if url.scheme() == "https" { + if url.scheme() == "http" || url.scheme() == "https" { lot.state = LotState::QrAccount; lot.text1 = url.host_str().map(|x| x.to_string()); } else {