If enforced server, allow QR scanner, but validate url

tobiasKaminsky · alperozturk96 · commit 067f2b4e1d5a · 2026-02-04T10:35:49.000+01:00
Signed-off-by: tobiasKaminsky &lt;tobias@kaminsky.me&gt;
diff --git a/app/src/main/java/com/owncloud/android/authentication/AuthenticatorActivity.java b/app/src/main/java/com/owncloud/android/authentication/AuthenticatorActivity.java
@@ -67,7 +67,6 @@
 import com.nextcloud.operations.PostMethod;
 import com.nextcloud.utils.extensions.BundleExtensionsKt;
 import com.nextcloud.utils.mdm.MDMConfig;
-import com.owncloud.android.BuildConfig;
 import com.owncloud.android.MainApp;
 import com.owncloud.android.R;
 import com.owncloud.android.databinding.AccountSetupBinding;
@@ -107,6 +106,8 @@
 import com.owncloud.android.utils.WebViewUtil;
 import com.owncloud.android.utils.theme.ViewThemeUtils;
 
+import org.jetbrains.annotations.NotNull;
+
 import java.io.InputStream;
 import java.net.URLDecoder;
 import java.util.ArrayList;
@@ -351,7 +352,6 @@ private void showEnforcedServers() {
         showAuthStatus();
         accountSetupBinding.hostUrlFrame.setVisibility(View.GONE);
         accountSetupBinding.hostUrlInputHelperText.setVisibility(View.GONE);
-        accountSetupBinding.scanQr.setVisibility(View.GONE);
         accountSetupBinding.serversSpinner.setVisibility(View.VISIBLE);
 
         ArrayAdapter<String> adapter = new ArrayAdapter<>(this, R.layout.enforced_servers_spinner);
@@ -639,6 +639,13 @@ private void parseAndLoginFromWebView(String dataString) {
             String prefix = getString(R.string.login_data_own_scheme) + PROTOCOL_SUFFIX + "login/";
             LoginUrlInfo loginUrlInfo = parseLoginDataUrl(prefix, dataString);
 
+            if (!checkAllowedServers(loginUrlInfo.getServer())) {
+                mServerStatusIcon = R.drawable.ic_alert;
+                mServerStatusText = getString(R.string.server_not_allowed);
+                showServerStatus();
+                return;
+            }
+
             if (accountSetupBinding != null) {
                 accountSetupBinding.hostUrlInput.setText("");
             }
@@ -649,10 +656,38 @@ private void parseAndLoginFromWebView(String dataString) {
             mServerStatusIcon = R.drawable.ic_alert;
             mServerStatusText = getString(R.string.qr_could_not_be_read);
             showServerStatus();
+            return;
         }
         checkOcServer();
     }
 
+    private boolean checkAllowedServers(@NotNull String server) {
+        String webviewLogin = getString(R.string.webview_login_url);
+
+        if (!webviewLogin.isEmpty()) {
+            if (webviewLogin.startsWith(server)) {
+                return true;
+            }
+        }
+
+        String enforcedServerList = getString(R.string.enforce_servers);
+
+        if (!enforcedServerList.isEmpty()) {
+            ArrayList<EnforcedServer> enforcedServers = new Gson().fromJson(enforcedServerList,
+                                                                            new TypeToken<ArrayList<EnforcedServer>>() {
+                                                                            }
+                                                                                .getType());
+
+            for (EnforcedServer enforcedServer : enforcedServers) {
+                if (enforcedServer.getUrl().startsWith(server)) {
+                    return true;
+                }
+            }
+        }
+
+        return false;
+    }
+
     /**
      * parses a URI string and returns a login data object with the information from the URI string.
      *
diff --git a/app/src/main/res/values/strings.xml b/app/src/main/res/values/strings.xml
@@ -1506,4 +1506,5 @@
     <string name="sync_conflict_notification_title">File upload conflicts</string>
     <string name="sync_conflict_notification_description">Upload conflicts detected. Open uploads to resolve.</string>
     <string name="sync_conflict_notification_action_title">Resolve conflicts</string>
+    <string name="server_not_allowed">Server not allowed</string>
 </resources>
