Fix checking subdomains#2253
Conversation
src/browser/BrowserService.cpp
Outdated
| } | ||
|
|
||
| hostname.chop(qurl.topLevelDomain().length()); | ||
| return hostname.split('.').last().append(qurl.topLevelDomain()); |
There was a problem hiding this comment.
These two lines need to be broken up and comments added. Took me a while to figure out what was going on.
src/browser/BrowserService.cpp
Outdated
| QUrl qurl = QUrl::fromUserInput(url); | ||
| QString hostname = qurl.host(); | ||
|
|
||
| if (hostname.isEmpty() || hostname.indexOf(qurl.topLevelDomain()) < 0) { |
There was a problem hiding this comment.
Recommend changing the second term to !hostname.contains(qurl.topLevelDomain()) for clarity.
src/browser/BrowserService.cpp
Outdated
|
|
||
| for (Entry* entry : EntrySearcher().search(hostname, rootGroup, Qt::CaseInsensitive)) { | ||
| QString base = baseDomain(hostname); | ||
| for (Entry* entry : EntrySearcher().search(base, rootGroup, Qt::CaseInsensitive)) { |
There was a problem hiding this comment.
Just replace "base" with "baseDomain(hostname)", no need for a temp variable with a questionable name.
f439aef to
9028fb9
Compare
|
Issues fixed & PR rebased. |
|
After being annoyed at the bug for a couple weeks, I found this PR, recompiled my copy, and ran it for a couple days. Got two console errors; the first popped up immediately and the second some time later: |
|
@pillarsdotnet Those errors are not related to this PR. The first one I have seen multiple times, the second is caused by placeholder resolver. |
9028fb9 to
a8167e3
Compare
src/browser/BrowserService.cpp
Outdated
| return false; | ||
| } | ||
|
|
||
| // Gets the base domain of URL, e.g. https://another.example.co.uk -> example.co.uk |
There was a problem hiding this comment.
Nitpick: why is this not a proper docblock?
a8167e3 to
a20d837
Compare
a20d837 to
8cbd571
Compare
|
Ok, I place my question and thoughts about the non-working matching algorithm here, Consider, you have a special link, the user wants to open. xyz is an international company with locale support on their web sites. If you call xyz.de/login, you get the german site, no matter if you are in Germany, or elsewhere. If you call xyz.com/login, you get the international site or a local site in the language of the country where you are. The link is remapped to something like www.xyz.com/login, **www.xyz.co.uk/login", or no.xyz.com/login (Norway) Thus, if the (german) keepassxc user wants to open the correct site for him, he has to specify the .de link. However, for the credentials to be provided correctly by keepassxc, the field must have a value of xyz.com right now. Also consider that the user is not always be able to change any language settings when in an internet cafe in a foreign country, or might be using a VPN. Examples of sites with such a behaviour are linkedin, or xing. Maybe it would be a good idea to separate the field in two. One field for the URL to open, and one optional field for the mapper, in case the mapping cannot be derived from the first URL. I dont know if this point is a good idea for the websites sometimes load balance their requests. Thus a request for accounts.xyz.com would sometimes be changed by them to accounts1.xyz.com If you apply your rule (saying *.xyz.com will not match), then there is no chance for the user to specify a URL that is matching at all, in case he wants to jump to the accounts page and not the xyz.com page. |
|
This is what cloned entries are for. You can clone the original one and change the URL to a redirect page or alternative login domain. The latter example you provided is increasingly rare due to modern load balancing being handled by smart dns routing instead of multiple sub domains. |
- New Database Wizard [#1952] - Advanced Search [#1797] - Automatic update checker [#2648] - KeeShare database synchronization [#2109, #1992, #2738, #2742, #2746, #2739] - Improve favicon fetching; transition to Duck-Duck-Go [#2795, #2011, #2439] - Remove KeePassHttp support [#1752] - CLI: output info to stderr for easier scripting [#2558] - CLI: Add --quiet option [#2507] - CLI: Add create command [#2540] - CLI: Add recursive listing of entries [#2345] - CLI: Fix stdin/stdout encoding on Windows [#2425] - SSH Agent: Support OpenSSH for Windows [#1994] - macOS: TouchID Quick Unlock [#1851] - macOS: Multiple improvements; include CLI in DMG [#2165, #2331, #2583] - Linux: Prevent Klipper from storing secrets in clipboard [#1969] - Linux: Use polling based file watching for NFS [#2171] - Linux: Enable use of browser plugin in Snap build [#2802] - TOTP QR Code Generator [#1167] - High-DPI Scaling for 4k screens [#2404] - Make keyboard shortcuts more consistent [#2431] - Warn user if deleting referenced entries [#1744] - Allow toolbar to be hidden and repositioned [#1819, #2357] - Increase max allowed database timeout to 12 hours [#2173] - Password generator uses existing password length by default [#2318] - Improve alert message box button labels [#2376] - Show message when a database merge makes no changes [#2551] - Browser Integration Enhancements [#1497, #2253, #1904, #2232, #1850, #2218, #2391, #2396, #2542, #2622, #2637, #2790] - Overall Code Improvements [#2316, #2284, #2351, #2402, #2410, #2419, #2422, #2443, #2491, #2506, #2610, #2667, #2709, #2731]
Fix checking subdomains when retrieving credentials.
Description
After title matching was removed with release 2.3.4 the subdomain handling broke. Base domain of the URL will be used for EntrySearcher instead of hostname.
With this fix:
https://google.com: matcheshttps://*.google.com, does not matchhttp://*.google.comgoogle.comwith scheme matching off: matches*://*.google.comhttps://accounts.google.com: matcheshttps://accounts.google.com, does not match withhttps://*.google.comaccounts.google.comwith scheme matching off: matches*://accounts.google.comMotivation and context
Fixes keepassxreboot/keepassxc-browser#283.
Fixes #2291