Blocked internal oauth links from inside the app.

Related commit: cb82740.

Author: 23rd

Telegram/SourceFiles/core/click_handler_types.cpp

@@ -144,7 +144,7 @@ QString HiddenUrlClickHandler::dragText() const {
 
 void HiddenUrlClickHandler::Open(QString url, QVariant context) {
 	url = Core::TryConvertUrlToLocal(url);
-	if (Core::InternalPassportLink(url)) {
+	if (Core::InternalPassportOrOAuthLink(url)) {
 		return;
 	}
 
@@ -241,7 +241,7 @@ void HiddenUrlClickHandler::Open(QString url, QVariant context) {
 
 void BotGameUrlClickHandler::onClick(ClickContext context) const {
 	const auto url = Core::TryConvertUrlToLocal(this->url());
-	if (Core::InternalPassportLink(url)) {
+	if (Core::InternalPassportOrOAuthLink(url)) {
 		return;
 	}
 	const auto openLink = [=] {

Telegram/SourceFiles/core/local_url_handlers.cpp

@@ -1954,7 +1954,7 @@ QString TryConvertUrlToLocal(QString url) {
 	return url;
 }
 
-bool InternalPassportLink(const QString &url) {
+bool InternalPassportOrOAuthLink(const QString &url) {
 	const auto urlTrimmed = url.trimmed();
 	if (!urlTrimmed.startsWith(u"tg://"_q, Qt::CaseInsensitive)) {
 		return false;
@@ -1967,23 +1967,33 @@ bool InternalPassportLink(const QString &url) {
 		u"^passport/?\\?(.+)(#|$)"_q,
 		command,
 		matchOptions);
+	const auto oauthMatch = regex_match(
+		u"^oauth/?\\?(.+)(#|$)"_q,
+		command,
+		matchOptions);
 	const auto usernameMatch = regex_match(
 		u"^resolve/?\\?(.+)(#|$)"_q,
 		command,
 		matchOptions);
-	const auto usernameValue = usernameMatch->hasMatch()
-		? url_parse_params(
+	auto usernameValue = QString();
+	if (usernameMatch->hasMatch()) {
+		const auto params = url_parse_params(
 			usernameMatch->captured(1),
-			UrlParamNameTransform::ToLower).value(u"domain"_q)
-		: QString();
+			UrlParamNameTransform::ToLower);
+		usernameValue = params.value(u"domain"_q);
+	}
 	const auto authLegacy = (usernameValue == u"telegrampassport"_q);
-	return authMatch->hasMatch() || authLegacy;
+	const auto oauthLegacy = (usernameValue == u"oauth"_q);
+	return authMatch->hasMatch()
+		|| oauthMatch->hasMatch()
+		|| authLegacy
+		|| oauthLegacy;
 }
 
 bool StartUrlRequiresActivate(const QString &url) {
 	return Core::App().passcodeLocked()
 		? true
-		: !InternalPassportLink(url);
+		: !InternalPassportOrOAuthLink(url);
 }
 
 void ResolveAndShowUniqueGift(

Telegram/SourceFiles/core/local_url_handlers.h

@@ -42,7 +42,7 @@ struct LocalUrlHandler {
 
 [[nodiscard]] QString TryConvertUrlToLocal(QString url);
 
-[[nodiscard]] bool InternalPassportLink(const QString &url);
+[[nodiscard]] bool InternalPassportOrOAuthLink(const QString &url);
 
 [[nodiscard]] bool StartUrlRequiresActivate(const QString &url);
 

Telegram/SourceFiles/core/ui_integration.cpp

@@ -409,7 +409,7 @@ bool UiIntegration::handleUrlClick(
 		const QString &url,
 		const QVariant &context) {
 	const auto local = Core::TryConvertUrlToLocal(url);
-	if (Core::InternalPassportLink(local)) {
+	if (Core::InternalPassportOrOAuthLink(local)) {
 		return true;
 	}
 

Telegram/SourceFiles/inline_bots/bot_attach_web_view.cpp

@@ -1500,7 +1500,7 @@ void WebViewInstance::botDownloadsAction(
 
 bool WebViewInstance::botHandleLocalUri(QString uri, bool keepOpen) {
 	const auto local = Core::TryConvertUrlToLocal(uri);
-	if (Core::InternalPassportLink(local)) {
+	if (Core::InternalPassportOrOAuthLink(local)) {
 		return true;
 	} else if (!local.startsWith(u"tg://"_q, Qt::CaseInsensitive)
 		&& !local.startsWith(u"tonsite://"_q, Qt::CaseInsensitive)