From 9735f9ae67053f0b1010514cd183a5e19e6f69e4 Mon Sep 17 00:00:00 2001 From: Benoit Marty Date: Fri, 11 Apr 2025 16:38:23 +0200 Subject: [PATCH 1/4] Changelog for version 25.04.1 --- CHANGES.md | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/CHANGES.md b/CHANGES.md index 71a53e7e82..39b2c1edeb 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -1,3 +1,25 @@ +Changes in Element X v25.04.1 +============================= + + + +## What's Changed +### ✨ Features +* Introduce PushHistoryService to store data about the received push by @bmarty in https://github.com/element-hq/element-x-android/pull/4573 +### 🙌 Improvements +* change (preferences) : new moderation and safety settings by @ganfra in https://github.com/element-hq/element-x-android/pull/4574 +### 🐛 Bugfixes +* Ensure that we have only one single instance of SeenInviteStore per session by @bmarty in https://github.com/element-hq/element-x-android/pull/4577 +### Dependency upgrades +* fix(deps): update dependencyanalysis to v2.15.0 by @renovate in https://github.com/element-hq/element-x-android/pull/4558 +* fix(deps): update dependency io.mockk:mockk to v1.14.0 by @renovate in https://github.com/element-hq/element-x-android/pull/4562 +* fix(deps): update kotlin by @renovate in https://github.com/element-hq/element-x-android/pull/4552 +* fix(deps): update dependency org.maplibre.gl:android-sdk to v11.8.6 by @renovate in https://github.com/element-hq/element-x-android/pull/4567 +* fix(deps): update dependencyanalysis to v2.16.0 by @renovate in https://github.com/element-hq/element-x-android/pull/4575 + + +**Full Changelog**: https://github.com/element-hq/element-x-android/compare/v25.04.0...v25.04.1 + Changes in Element X v25.04.0 ============================= From fb4bb4e773c267333a2b17ef054e1512588bf768 Mon Sep 17 00:00:00 2001 From: Benoit Marty Date: Thu, 17 Apr 2025 11:39:38 +0200 Subject: [PATCH 2/4] Merge commit from fork * Check validity of Element Call url host. * Prepare release 25.04.2 --- CHANGES.md | 7 +++++ .../android/en-US/changelogs/202504020.txt | 2 ++ .../call/impl/utils/CallIntentDataParser.kt | 13 ++++---- .../call/utils/CallIntentDataParserTest.kt | 31 ++++++++++++------- plugins/src/main/kotlin/Versions.kt | 2 +- 5 files changed, 37 insertions(+), 18 deletions(-) create mode 100644 fastlane/metadata/android/en-US/changelogs/202504020.txt diff --git a/CHANGES.md b/CHANGES.md index 39b2c1edeb..2cb9347e1d 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -1,3 +1,10 @@ +Changes in Element X v25.04.2 +============================= + +Security fixes 🔐 +----------------- +- Fix for [GHSA-m5px-pwq3-4p5m](https://github.com/element-hq/element-x-android/security/advisories/GHSA-m5px-pwq3-4p5m) / [CVE-2025-27599](https://www.cve.org/CVERecord?id=CVE-2025-27599) + Changes in Element X v25.04.1 ============================= diff --git a/fastlane/metadata/android/en-US/changelogs/202504020.txt b/fastlane/metadata/android/en-US/changelogs/202504020.txt new file mode 100644 index 0000000000..66578477e6 --- /dev/null +++ b/fastlane/metadata/android/en-US/changelogs/202504020.txt @@ -0,0 +1,2 @@ +Main changes in this version: security fix. +Full changelog: https://github.com/element-hq/element-x-android/releases diff --git a/features/call/impl/src/main/kotlin/io/element/android/features/call/impl/utils/CallIntentDataParser.kt b/features/call/impl/src/main/kotlin/io/element/android/features/call/impl/utils/CallIntentDataParser.kt index 22b9f6bef7..827427e0cf 100644 --- a/features/call/impl/src/main/kotlin/io/element/android/features/call/impl/utils/CallIntentDataParser.kt +++ b/features/call/impl/src/main/kotlin/io/element/android/features/call/impl/utils/CallIntentDataParser.kt @@ -12,25 +12,26 @@ import javax.inject.Inject class CallIntentDataParser @Inject constructor() { private val validHttpSchemes = sequenceOf("https") + private val knownHosts = sequenceOf( + "call.element.io", + ) fun parse(data: String?): String? { val parsedUrl = data?.let { Uri.parse(data) } ?: return null val scheme = parsedUrl.scheme return when { - scheme in validHttpSchemes && parsedUrl.host == "call.element.io" -> parsedUrl + scheme in validHttpSchemes -> parsedUrl scheme == "element" && parsedUrl.host == "call" -> { - // We use this custom scheme to load arbitrary URLs for other instances of Element Call, - // so we can only verify it's an HTTP/HTTPs URL with a non-empty host parsedUrl.getUrlParameter() } scheme == "io.element.call" && parsedUrl.host == null -> { - // We use this custom scheme to load arbitrary URLs for other instances of Element Call, - // so we can only verify it's an HTTP/HTTPs URL with a non-empty host parsedUrl.getUrlParameter() } // This should never be possible, but we still need to take into account the possibility else -> null - }?.withCustomParameters() + } + ?.takeIf { it.host in knownHosts } + ?.withCustomParameters() } private fun Uri.getUrlParameter(): Uri? { diff --git a/features/call/impl/src/test/kotlin/io/element/android/features/call/utils/CallIntentDataParserTest.kt b/features/call/impl/src/test/kotlin/io/element/android/features/call/utils/CallIntentDataParserTest.kt index 098f396d22..bafbe3f570 100644 --- a/features/call/impl/src/test/kotlin/io/element/android/features/call/utils/CallIntentDataParserTest.kt +++ b/features/call/impl/src/test/kotlin/io/element/android/features/call/utils/CallIntentDataParserTest.kt @@ -45,6 +45,17 @@ class CallIntentDataParserTest { doTest("http://call.element.io/some-actual-call?with=parameters", null) } + @Test + fun `Element Call urls with unknown host returns null`() { + // Check valid host first, should not return null + doTest("https://call.element.io", "https://call.element.io#?appPrompt=false&confineToRoom=true") + // Unknown host should return null + doTest("https://unknown.io", null) + doTest("https://call.unknown.io", null) + doTest("https://call.element.com", null) + doTest("https://call.element.io.tld", null) + } + @Test fun `Element Call urls will be returned as is`() { doTest( @@ -64,7 +75,7 @@ class CallIntentDataParserTest { @Test fun `HTTP and HTTPS urls that don't come from EC return null`() { doTest("http://app.element.io", null) - doTest("https://app.element.io", null, testEmbedded = false) + doTest("https://app.element.io", null) doTest("http://", null) doTest("https://", null) } @@ -193,20 +204,18 @@ class CallIntentDataParserTest { ) } - private fun doTest(url: String, expectedResult: String?, testEmbedded: Boolean = true) { + private fun doTest(url: String, expectedResult: String?) { // Test direct parsing assertThat(callIntentDataParser.parse(url)).isEqualTo(expectedResult) - if (testEmbedded) { - // Test embedded url, scheme 1 - val encodedUrl = URLEncoder.encode(url, "utf-8") - val urlScheme1 = "element://call?url=$encodedUrl" - assertThat(callIntentDataParser.parse(urlScheme1)).isEqualTo(expectedResult) + // Test embedded url, scheme 1 + val encodedUrl = URLEncoder.encode(url, "utf-8") + val urlScheme1 = "element://call?url=$encodedUrl" + assertThat(callIntentDataParser.parse(urlScheme1)).isEqualTo(expectedResult) - // Test embedded url, scheme 2 - val urlScheme2 = "io.element.call:/?url=$encodedUrl" - assertThat(callIntentDataParser.parse(urlScheme2)).isEqualTo(expectedResult) - } + // Test embedded url, scheme 2 + val urlScheme2 = "io.element.call:/?url=$encodedUrl" + assertThat(callIntentDataParser.parse(urlScheme2)).isEqualTo(expectedResult) } companion object { diff --git a/plugins/src/main/kotlin/Versions.kt b/plugins/src/main/kotlin/Versions.kt index 08c4a55d2e..0902f84d53 100644 --- a/plugins/src/main/kotlin/Versions.kt +++ b/plugins/src/main/kotlin/Versions.kt @@ -32,7 +32,7 @@ private const val versionYear = 25 private const val versionMonth = 4 // Note: must be in [0,99] -private const val versionReleaseNumber = 1 +private const val versionReleaseNumber = 2 object Versions { const val VERSION_CODE = (2000 + versionYear) * 10_000 + versionMonth * 100 + versionReleaseNumber From 4716d0e67e29a7609cb60093ae90639272cb1207 Mon Sep 17 00:00:00 2001 From: ganfra Date: Wed, 23 Apr 2025 11:02:23 +0200 Subject: [PATCH 3/4] Setting version for the release 25.04.3 --- plugins/src/main/kotlin/Versions.kt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/src/main/kotlin/Versions.kt b/plugins/src/main/kotlin/Versions.kt index 0902f84d53..8eae02888e 100644 --- a/plugins/src/main/kotlin/Versions.kt +++ b/plugins/src/main/kotlin/Versions.kt @@ -32,7 +32,7 @@ private const val versionYear = 25 private const val versionMonth = 4 // Note: must be in [0,99] -private const val versionReleaseNumber = 2 +private const val versionReleaseNumber = 3 object Versions { const val VERSION_CODE = (2000 + versionYear) * 10_000 + versionMonth * 100 + versionReleaseNumber From 50119bbb1e86e04c872b5bae6fd7f982a762470b Mon Sep 17 00:00:00 2001 From: ganfra Date: Wed, 23 Apr 2025 11:03:47 +0200 Subject: [PATCH 4/4] Adding fastlane file for version 25.04.3 --- fastlane/metadata/android/en-US/changelogs/202504030.txt | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 fastlane/metadata/android/en-US/changelogs/202504030.txt diff --git a/fastlane/metadata/android/en-US/changelogs/202504030.txt b/fastlane/metadata/android/en-US/changelogs/202504030.txt new file mode 100644 index 0000000000..a4b397f1bb --- /dev/null +++ b/fastlane/metadata/android/en-US/changelogs/202504030.txt @@ -0,0 +1,2 @@ +Main changes in this version: bug fixes and improvements. +Full changelog: https://github.com/element-hq/element-x-android/releases \ No newline at end of file