Prevent KeePassRPC from handling data URIs

Also ensures that a file protocol scheme is only detected if it is at the start of a URI

KeePassRPC/KeePassRPCService.cs

@@ -1895,7 +1895,7 @@ private int bestMatchAccuracyForAnyURL(PwEntry pwe, EntryConfig conf, string url
         /// <summary>
         /// Finds entries. Presence of certain parameters dictates type of search performed in the following priority order: uniqueId; freeTextSearch; URL, realm, etc.. Searching stops as soon as one of the different types of search results in a successful match. Supply a username to limit results from URL and realm searches (to search for username regardless of URL/realm, do a free text search and filter results in your client).
         /// </summary>
-        /// <param name="URLs">The URLs to search for. Host must be lower case as per the URI specs. Other parts are case sensitive.</param>
+        /// <param name="unsanitisedURLs">The URLs to search for. Host must be lower case as per the URI specs. Other parts are case sensitive.</param>
         /// <param name="actionURL">The action URL.</param>
         /// <param name="httpRealm">The HTTP realm.</param>
         /// <param name="lst">The type of login search to perform. E.g. look for form matches or HTTP Auth matches.</param>
@@ -1906,7 +1906,8 @@ private int bestMatchAccuracyForAnyURL(PwEntry pwe, EntryConfig conf, string url
         /// /// <param name="username">Limit a search for URL to exact username matches only</param>
         /// <returns>An entry suitable for use by a JSON-RPC client.</returns>
         [JsonRpcMethod]
-        public Entry[] FindLogins(string[] URLs, string actionURL, string httpRealm, LoginSearchType lst, bool requireFullURLMatches, 
+        public Entry[] FindLogins(string[] unsanitisedURLs, string actionURL,
+            string httpRealm, LoginSearchType lst, bool requireFullURLMatches, 
             string uniqueID, string dbFileName, string freeTextSearch, string username)
         {
             List<PwDatabase> dbs = null;
@@ -2005,6 +2006,12 @@ public Entry[] FindLogins(string[] URLs, string actionURL, string httpRealm, Log
             }
             // else we search for the URLs
 
+            // First, we remove any data URIs from the list - there aren't any practical use cases 
+            // for this which can trump the security risks introduced by attempting to support their use.
+            var santisedURLs = new List<string>(unsanitisedURLs);
+            santisedURLs.RemoveAll(u => u.StartsWith("data:"));
+            var URLs = santisedURLs.ToArray();
+
             if (count == 0 && URLs.Length > 0 && !string.IsNullOrEmpty(URLs[0]))
             {
                 Dictionary<string, URLSummary> URLHostnameAndPorts = new Dictionary<string, URLSummary>();

KeePassRPC/URLSummary.cs

@@ -23,13 +23,13 @@ You should have received a copy of the GNU General Public License
 
 namespace KeePassRPC
 {
-    class URLSummary
+    public class URLSummary
     {
         public string HostnameAndPort;
         public string Port;
         public DomainName Domain;
 
-        public URLSummary(string hostnameAndPort, string port, DomainName domain)
+        private URLSummary(string hostnameAndPort, string port, DomainName domain)
         {
             HostnameAndPort = hostnameAndPort;
             Port = port;
@@ -38,10 +38,15 @@ public URLSummary(string hostnameAndPort, string port, DomainName domain)
 
         public static URLSummary FromURL(string URL)
         {
+            if (URL.StartsWith("data:"))
+            {
+                return new URLSummary("", "", null);
+            }
+
             bool isFile = false;
             int protocolIndex = URL.IndexOf("://");
             string hostAndPort = "";
-            if (URL.IndexOf("file://") > -1)
+            if (URL.StartsWith("file://"))
             {
                 isFile = true;
                 // the "host and port" of a file is the actual file name