From 2d739a324e9b9a67d7d71ba3fbbe1cdd8046cdcc Mon Sep 17 00:00:00 2001
From: Moxie Marlinspike <moxie@thoughtcrime.org>
Date: Fri, 13 Jun 2014 16:15:33 -0700
Subject: [PATCH] Validate MMS delivery destination.

We can't depend on validated Recipients anymore, so this adds
parity to the validation the SMS transport does now.

Fixes #1592
---
 .../securesms/transport/MmsTransport.java     | 34 +++++++++++++++++++
 1 file changed, 34 insertions(+)

diff --git a/src/org/thoughtcrime/securesms/transport/MmsTransport.java b/src/org/thoughtcrime/securesms/transport/MmsTransport.java
index d7005b881..1c18fd07d 100644
--- a/src/org/thoughtcrime/securesms/transport/MmsTransport.java
+++ b/src/org/thoughtcrime/securesms/transport/MmsTransport.java
@@ -31,6 +31,7 @@ import org.thoughtcrime.securesms.protocol.WirePrefix;
 import org.thoughtcrime.securesms.recipients.Recipient;
 import org.thoughtcrime.securesms.recipients.RecipientFactory;
 import org.thoughtcrime.securesms.recipients.RecipientFormattingException;
+import org.thoughtcrime.securesms.util.NumberUtil;
 import org.thoughtcrime.securesms.util.TextSecurePreferences;
 import org.whispersystems.textsecure.crypto.MasterSecret;
 import org.whispersystems.textsecure.crypto.SessionCipher;
@@ -72,6 +73,8 @@ public class MmsTransport {
       throw new UndeliverableMessageException("MMS Transport is not enabled!");
     }
 
+    validateDestinations(message);
+
     try {
       if (isCdmaDevice()) {
         Log.w("MmsTransport", "Sending MMS directly without radio change...");
@@ -197,4 +200,35 @@ public class MmsTransport {
         .getPhoneType() == TelephonyManager.PHONE_TYPE_CDMA;
   }
 
+  private void validateDestination(EncodedStringValue destination) throws UndeliverableMessageException {
+    if (destination == null || !NumberUtil.isValidSmsOrEmail(destination.getString())) {
+      throw new UndeliverableMessageException("Invalid destination: " +
+                                              (destination == null ? null : destination.getString()));
+    }
+  }
+
+  private void validateDestinations(SendReq message) throws UndeliverableMessageException {
+    if (message.getTo() != null) {
+      for (EncodedStringValue to : message.getTo()) {
+        validateDestination(to);
+      }
+    }
+
+    if (message.getCc() != null) {
+      for (EncodedStringValue cc : message.getCc()) {
+        validateDestination(cc);
+      }
+    }
+
+    if (message.getBcc() != null) {
+      for (EncodedStringValue bcc : message.getBcc()) {
+        validateDestination(bcc);
+      }
+    }
+
+    if (message.getTo() == null && message.getCc() == null && message.getBcc() == null) {
+      throw new UndeliverableMessageException("No to, cc, or bcc specified!");
+    }
+  }
+
 }