From b33f90f9d7719abe704212ebcc61a10f00c0395f Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Mon, 16 Mar 2026 14:56:15 +0000
Subject: [PATCH 1/2] Initial plan


From f7abb0c32169709dba70f021aeefd92f64aa1287 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Mon, 16 Mar 2026 15:07:53 +0000
Subject: [PATCH 2/2] Security fixes: WebView URL validation, redirect race
 condition, and file:// scheme removal

Co-authored-by: sirambd <28200274+sirambd@users.noreply.github.com>
---
 app/src/main/AndroidManifest.xml              |  1 -
 .../infomaniak/drive/ui/OnlyOfficeActivity.kt | 21 +++++++++++++++++--
 2 files changed, 19 insertions(+), 3 deletions(-)

diff --git a/app/src/main/AndroidManifest.xml b/app/src/main/AndroidManifest.xml
index a76f5686fa..af8a3188bb 100644
--- a/app/src/main/AndroidManifest.xml
+++ b/app/src/main/AndroidManifest.xml
@@ -135,7 +135,6 @@
                 <category android:name="android.intent.category.DEFAULT" />
                 <category android:name="android.intent.category.BROWSABLE" />
 
-                <data android:scheme="file" />
                 <data android:scheme="content" />
                 <data android:mimeType="application/pdf" />
             </intent-filter>
diff --git a/app/src/main/java/com/infomaniak/drive/ui/OnlyOfficeActivity.kt b/app/src/main/java/com/infomaniak/drive/ui/OnlyOfficeActivity.kt
index 05a891d6a5..d45061600d 100644
--- a/app/src/main/java/com/infomaniak/drive/ui/OnlyOfficeActivity.kt
+++ b/app/src/main/java/com/infomaniak/drive/ui/OnlyOfficeActivity.kt
@@ -83,6 +83,12 @@ class OnlyOfficeActivity : AppCompatActivity() {
 
         val url = intent.getStringExtra(ONLYOFFICE_URL_TAG)!!
         val filename = intent.getStringExtra(ONLYOFFICE_FILENAME_TAG)!!
+
+        if (!isUrlFromTrustedDomain(url)) {
+            finish()
+            return@with
+        }
+
         val headers = mapOf("Authorization" to "Bearer ${AccountUtils.currentUser?.apiToken?.accessToken}")
 
         CookieManager.getInstance().setAcceptThirdPartyCookies(webView, true)
@@ -96,8 +102,9 @@ class OnlyOfficeActivity : AppCompatActivity() {
 
             webViewClient = object : WebViewClientCompat() {
                 override fun shouldOverrideUrlLoading(view: WebView, request: WebResourceRequest): Boolean {
-                    popBackIfNeeded(request.url.toString())
-                    view.loadUrl(request.url.toString())
+                    val redirectUrl = request.url.toString()
+                    popBackIfNeeded(redirectUrl)
+                    if (!isFinishing) view.loadUrl(redirectUrl)
                     return true
                 }
             }
@@ -211,6 +218,16 @@ class OnlyOfficeActivity : AppCompatActivity() {
         if (popBackNeeded) finish()
     }
 
+    private fun isUrlFromTrustedDomain(url: String): Boolean {
+        return try {
+            val uri = Uri.parse(url)
+            val host = uri.host ?: return false
+            uri.scheme == "https" && (host.endsWith(".infomaniak.com") || host == "infomaniak.com")
+        } catch (e: Exception) {
+            false
+        }
+    }
+
     private inner class OnlyOfficeWebChromeClient : WebChromeClient() {
         override fun onProgressChanged(view: WebView, newProgress: Int) = with(binding) {
             progressBar.progress = newProgress