Mirrors/chatmail-core
1
0
Fork 0
mirror of https://github.com/chatmail/core.git synced 2026-04-27 02:16:29 +03:00
Code Issues Packages Projects Releases Wiki Activity

Allow http scheme for DCACCOUNT URLs

Browse Source 
It presents no security issue, because properly configured servers will
only serve passwords on HTTPS and distribute only HTTPS QR codes, but
makes testing easier when HTTPS is not easy to deploy.

If attacker can control the URL used, they can change the URL to another
HTTPS URL controlled by them and act as a proxy between the client and
original server anyway.
This commit is contained in:
Alexander Krotov
2020-07-28 00:11:39 +03:00
committed by link2xt
parent 82c3352b27
commit 8729b9f403
1 changed files with 1 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
src/qr.rs
View File

@@ -195,7 +195,7 @@ fn decode_account(_context: &Context, qr: &str) -> Lot {
let mut lot = Lot::new();
if let Ok(url) = url::Url::parse(payload) {
if url.scheme() == "https" {
if url.scheme() == "http" || url.scheme() == "https" {
lot.state = LotState::QrAccount;
lot.text1 = url.host_str().map(|x| x.to_string());
} else {