diff --git a/KeePassRPC/KeePassRPCService.cs b/KeePassRPC/KeePassRPCService.cs
index 39af7e8..79a015e 100644
--- a/KeePassRPC/KeePassRPCService.cs
+++ b/KeePassRPC/KeePassRPCService.cs
@@ -1895,7 +1895,7 @@ private int bestMatchAccuracyForAnyURL(PwEntry pwe, EntryConfig conf, string url
///
/// Finds entries. Presence of certain parameters dictates type of search performed in the following priority order: uniqueId; freeTextSearch; URL, realm, etc.. Searching stops as soon as one of the different types of search results in a successful match. Supply a username to limit results from URL and realm searches (to search for username regardless of URL/realm, do a free text search and filter results in your client).
///
- /// The URLs to search for. Host must be lower case as per the URI specs. Other parts are case sensitive.
+ /// The URLs to search for. Host must be lower case as per the URI specs. Other parts are case sensitive.
/// The action URL.
/// The HTTP realm.
/// The type of login search to perform. E.g. look for form matches or HTTP Auth matches.
@@ -1906,7 +1906,8 @@ private int bestMatchAccuracyForAnyURL(PwEntry pwe, EntryConfig conf, string url
/// /// Limit a search for URL to exact username matches only
/// An entry suitable for use by a JSON-RPC client.
[JsonRpcMethod]
- public Entry[] FindLogins(string[] URLs, string actionURL, string httpRealm, LoginSearchType lst, bool requireFullURLMatches,
+ public Entry[] FindLogins(string[] unsanitisedURLs, string actionURL,
+ string httpRealm, LoginSearchType lst, bool requireFullURLMatches,
string uniqueID, string dbFileName, string freeTextSearch, string username)
{
List dbs = null;
@@ -2005,6 +2006,12 @@ public Entry[] FindLogins(string[] URLs, string actionURL, string httpRealm, Log
}
// else we search for the URLs
+ // First, we remove any data URIs from the list - there aren't any practical use cases
+ // for this which can trump the security risks introduced by attempting to support their use.
+ var santisedURLs = new List(unsanitisedURLs);
+ santisedURLs.RemoveAll(u => u.StartsWith("data:"));
+ var URLs = santisedURLs.ToArray();
+
if (count == 0 && URLs.Length > 0 && !string.IsNullOrEmpty(URLs[0]))
{
Dictionary URLHostnameAndPorts = new Dictionary();
diff --git a/KeePassRPC/URLSummary.cs b/KeePassRPC/URLSummary.cs
index b7690d0..2b8fb95 100644
--- a/KeePassRPC/URLSummary.cs
+++ b/KeePassRPC/URLSummary.cs
@@ -23,13 +23,13 @@ You should have received a copy of the GNU General Public License
namespace KeePassRPC
{
- class URLSummary
+ public class URLSummary
{
public string HostnameAndPort;
public string Port;
public DomainName Domain;
- public URLSummary(string hostnameAndPort, string port, DomainName domain)
+ private URLSummary(string hostnameAndPort, string port, DomainName domain)
{
HostnameAndPort = hostnameAndPort;
Port = port;
@@ -38,10 +38,15 @@ public URLSummary(string hostnameAndPort, string port, DomainName domain)
public static URLSummary FromURL(string URL)
{
+ if (URL.StartsWith("data:"))
+ {
+ return new URLSummary("", "", null);
+ }
+
bool isFile = false;
int protocolIndex = URL.IndexOf("://");
string hostAndPort = "";
- if (URL.IndexOf("file://") > -1)
+ if (URL.StartsWith("file://"))
{
isFile = true;
// the "host and port" of a file is the actual file name