From f27484a6c21a9e02278cf8560aae56b51c0da668 Mon Sep 17 00:00:00 2001
From: Christian Grothoff <christian@grothoff.org>
Date: Wed, 21 Feb 2024 20:53:22 +0100
Subject: fix #8465

---
 src/util/payto.c | 80 +++++++++++++++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 79 insertions(+), 1 deletion(-)

(limited to 'src/util/payto.c')

diff --git a/src/util/payto.c b/src/util/payto.c
index 21889377b..4670e35f0 100644
--- a/src/util/payto.c
+++ b/src/util/payto.c
@@ -155,7 +155,6 @@ validate_payto_iban (const char *account_url)
                         IBAN_PREFIX,
                         strlen (IBAN_PREFIX)))
     return NULL; /* not an IBAN */
-
   iban = strrchr (account_url, '/') + 1;
 #undef IBAN_PREFIX
   q = strchr (iban,
@@ -189,6 +188,83 @@ validate_payto_iban (const char *account_url)
 }
 
 
+/**
+ * Validate payto://x-taler-bank/ account URL (only account information,
+ * wire subject and amount are ignored).
+ *
+ * @param account_url payto URL to parse
+ * @return NULL on success, otherwise an error message
+ *      to be freed by the caller
+ */
+static char *
+validate_payto_xtalerbank (const char *account_url)
+{
+  const char *user;
+  const char *host;
+  bool dot_ok;
+
+#define XTALERBANK_PREFIX "payto://x-taler-bank/"
+  if (0 != strncasecmp (account_url,
+                        XTALERBANK_PREFIX,
+                        strlen (XTALERBANK_PREFIX)))
+    return NULL; /* not an IBAN */
+  host = &account_url[strlen (XTALERBANK_PREFIX)];
+#undef XTALERBANK_PREFIX
+  user = strchr (host, '/');
+  if (NULL == user)
+  {
+    return GNUNET_strdup ("account name missing");
+  }
+  if (user == host)
+  {
+    return GNUNET_strdup ("domain name missing");
+  }
+  if ('-' == host[0])
+    return GNUNET_strdup ("invalid character '-' at start of domain name");
+  if (NULL != strchr (user + 1, '/'))
+    return GNUNET_strdup ("invalid character '/' after account name");
+  dot_ok = false;
+  while (host != user)
+  {
+    char c = host[0];
+
+    if ('.' == c)
+    {
+      if (! dot_ok)
+        return GNUNET_strdup ("invalid domain name (misplaced '.')");
+      dot_ok = false;
+    }
+    else
+    {
+      if (! ( ('-' == c) ||
+              ( ('0' <= c) && ('9' >= c) ) ||
+              ( ('a' <= c) && ('z' >= c) ) ||
+              ( ('A' <= c) && ('Z' >= c) ) ) )
+      {
+        char *err;
+
+        GNUNET_asprintf (&err,
+                         "invalid character '%c' in domain name",
+                         c);
+        return err;
+      }
+      dot_ok = true;
+    }
+    host++;
+  }
+  {
+    char *target;
+
+    target = payto_get_key (account_url,
+                            "receiver-name=");
+    if (NULL == target)
+      return GNUNET_strdup ("'receiver-name' parameter missing");
+    GNUNET_free (target);
+  }
+  return NULL;
+}
+
+
 char *
 TALER_payto_validate (const char *payto_uri)
 {
@@ -229,6 +305,8 @@ TALER_payto_validate (const char *payto_uri)
 
   if (NULL != (ret = validate_payto_iban (payto_uri)))
     return ret; /* got a definitive answer */
+  if (NULL != (ret = validate_payto_xtalerbank (payto_uri)))
+    return ret; /* got a definitive answer */
 
   /* Insert other bank account validation methods here later! */
 
-- 
cgit v1.2.3