From b5f273a356edc4f0051536898afd30637085a143 Mon Sep 17 00:00:00 2001 From: tobiasKaminsky Date: Wed, 4 Feb 2026 09:47:28 +0100 Subject: [PATCH 1/2] If enforced server, allow QR scanner, but validate url Signed-off-by: tobiasKaminsky --- .../authentication/AuthenticatorActivity.java | 39 ++++++++++++++++++- app/src/main/res/values/strings.xml | 1 + 2 files changed, 38 insertions(+), 2 deletions(-) diff --git a/app/src/main/java/com/owncloud/android/authentication/AuthenticatorActivity.java b/app/src/main/java/com/owncloud/android/authentication/AuthenticatorActivity.java index 3add5f5eef73..b1fae63aad9b 100644 --- a/app/src/main/java/com/owncloud/android/authentication/AuthenticatorActivity.java +++ b/app/src/main/java/com/owncloud/android/authentication/AuthenticatorActivity.java @@ -67,7 +67,6 @@ import com.nextcloud.operations.PostMethod; import com.nextcloud.utils.extensions.BundleExtensionsKt; import com.nextcloud.utils.mdm.MDMConfig; -import com.owncloud.android.BuildConfig; import com.owncloud.android.MainApp; import com.owncloud.android.R; import com.owncloud.android.databinding.AccountSetupBinding; @@ -107,6 +106,8 @@ import com.owncloud.android.utils.WebViewUtil; import com.owncloud.android.utils.theme.ViewThemeUtils; +import org.jetbrains.annotations.NotNull; + import java.io.InputStream; import java.net.URLDecoder; import java.util.ArrayList; @@ -351,7 +352,6 @@ private void showEnforcedServers() { showAuthStatus(); accountSetupBinding.hostUrlFrame.setVisibility(View.GONE); accountSetupBinding.hostUrlInputHelperText.setVisibility(View.GONE); - accountSetupBinding.scanQr.setVisibility(View.GONE); accountSetupBinding.serversSpinner.setVisibility(View.VISIBLE); ArrayAdapter adapter = new ArrayAdapter<>(this, R.layout.enforced_servers_spinner); @@ -639,6 +639,13 @@ private void parseAndLoginFromWebView(String dataString) { String prefix = getString(R.string.login_data_own_scheme) + PROTOCOL_SUFFIX + "login/"; LoginUrlInfo loginUrlInfo = parseLoginDataUrl(prefix, dataString); + if (!checkAllowedServers(loginUrlInfo.getServer())) { + mServerStatusIcon = R.drawable.ic_alert; + mServerStatusText = getString(R.string.server_not_allowed); + showServerStatus(); + return; + } + if (accountSetupBinding != null) { accountSetupBinding.hostUrlInput.setText(""); } @@ -649,10 +656,38 @@ private void parseAndLoginFromWebView(String dataString) { mServerStatusIcon = R.drawable.ic_alert; mServerStatusText = getString(R.string.qr_could_not_be_read); showServerStatus(); + return; } checkOcServer(); } + private boolean checkAllowedServers(@NotNull String server) { + String webviewLogin = getString(R.string.webview_login_url); + + if (!webviewLogin.isEmpty()) { + if (webviewLogin.startsWith(server)) { + return true; + } + } + + String enforcedServerList = getString(R.string.enforce_servers); + + if (!enforcedServerList.isEmpty()) { + ArrayList enforcedServers = new Gson().fromJson(enforcedServerList, + new TypeToken>() { + } + .getType()); + + for (EnforcedServer enforcedServer : enforcedServers) { + if (enforcedServer.getUrl().startsWith(server)) { + return true; + } + } + } + + return false; + } + /** * parses a URI string and returns a login data object with the information from the URI string. * diff --git a/app/src/main/res/values/strings.xml b/app/src/main/res/values/strings.xml index 97f04a8862af..4cacc9f8af76 100644 --- a/app/src/main/res/values/strings.xml +++ b/app/src/main/res/values/strings.xml @@ -1506,4 +1506,5 @@ File upload conflicts Upload conflicts detected. Open uploads to resolve. Resolve conflicts + Server not allowed From 385b6133798c453626816fcd5c9f6f963cd39de4 Mon Sep 17 00:00:00 2001 From: alperozturk96 Date: Wed, 4 Feb 2026 11:52:08 +0100 Subject: [PATCH 2/2] fix codacy Signed-off-by: alperozturk96 --- .../android/authentication/AuthenticatorActivity.java | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/app/src/main/java/com/owncloud/android/authentication/AuthenticatorActivity.java b/app/src/main/java/com/owncloud/android/authentication/AuthenticatorActivity.java index b1fae63aad9b..addff51175ba 100644 --- a/app/src/main/java/com/owncloud/android/authentication/AuthenticatorActivity.java +++ b/app/src/main/java/com/owncloud/android/authentication/AuthenticatorActivity.java @@ -106,8 +106,6 @@ import com.owncloud.android.utils.WebViewUtil; import com.owncloud.android.utils.theme.ViewThemeUtils; -import org.jetbrains.annotations.NotNull; - import java.io.InputStream; import java.net.URLDecoder; import java.util.ArrayList; @@ -661,13 +659,11 @@ private void parseAndLoginFromWebView(String dataString) { checkOcServer(); } - private boolean checkAllowedServers(@NotNull String server) { + private boolean checkAllowedServers(@NonNull String server) { String webviewLogin = getString(R.string.webview_login_url); - if (!webviewLogin.isEmpty()) { - if (webviewLogin.startsWith(server)) { - return true; - } + if (!webviewLogin.isEmpty() && webviewLogin.startsWith(server)) { + return true; } String enforcedServerList = getString(R.string.enforce_servers);