Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

URL matching too lax #1926

Closed
PhilippC opened this issue Feb 7, 2022 · 7 comments
Closed

URL matching too lax #1926

PhilippC opened this issue Feb 7, 2022 · 7 comments
Milestone
1.09

Comments

@PhilippC
Copy link
Owner

PhilippC commented Feb 7, 2022

if an entry has URL=kdbx://c:/data/abc.kdbx this seems to match against every URL with a "c" in the domain. Should improve the matching algorithm.
@PhilippC PhilippC added this to the 1.09 milestone Feb 7, 2022
@adoeller
Copy link

adoeller commented Feb 28, 2022
edited
Loading

Also applies to numbers.

The browser URL 192.168.188.21 leads to the entry 192.168.188.2

That's not really a match.
Screenshot_20220228_022752_org mozilla firefox_edit_795018788390145

@nomis
Copy link

nomis commented Nov 10, 2024

An entry with the URL x.com is matching any domain that ends with x.com too, e.g. examplex.com

@midnight-wonderer
Copy link
Contributor

An entry with the URL x.com is matching any domain that ends with x.com too, e.g. examplex.com

This one bites me today. My x.com password has already been leaked. 🥺
screenshot

@PhilippC
Copy link
Owner Author

@midnight-wonderer I don't want to downplay this bug, but maybe it relieves you that no leakage should have happened unless you selected the x.com entry and actually filled it into the webpage of GMX.

@midnight-wonderer
Copy link
Contributor

@PhilippC Thank you for the clarification.
Unfortunately, that is exactly what happened. I only realized something was wrong when the TOTP verification failed.

The website saves the password in its temporary storage, then displays the TOTP verification form, and informs me of the login result afterward.
My slippery fingers are probably part of the issue.

I understand that you might not have time to address this yet. How about pointing me to the code where the filter occurs?
If it doesn’t involve the UI, perhaps I can cook a PR for you.

@PhilippC
Copy link
Owner Author

Thanks for offering help! I am still working on updating to target SDK 34 (which is a prerequisite for publishing any further updates on Google Play, so this has priority higher than anything else at the moment). But I think I have solved the hardest part: I just now merged #2743 into the main branch. With .net8, target sdk 34 is now supported 🎉 Anyway, I'll have to make some adjustments for this.

If you want to have a look at the matching: the entry point is here: https://github.com/PhilippC/keepass2android/blob/master/src/keepass2android-app/ShareUrlResults.cs#L203

@midnight-wonderer midnight-wonderer mentioned this issue Jan 14, 2025
Merged
@midnight-wonderer
Copy link
Contributor

TIL: Keepass2Android is written in C#.
This is as far as I can go: #2744

You have to check it anyway, basically.
Not sure if this helps or creates more work for you.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
1.09
Development

No branches or pull requests
4 participants
@nomis @PhilippC @midnight-wonderer @adoeller