Adjust URI host parsing to stop on \ character.

The WHATWG URL parsing algorithm [1] used by browsers says that for "special" URL schemes (which is basically all commonly-used hierarchical schemes, including http, https, ftp, and file), the host portion ends if a \ character is seen, whereas this class previously continued to consider characters part of the hostname. This meant that a malicious URL could be seen as having a "safe" host when viewed by an app but navigate to a different host when passed to a browser. [1] https://url.spec.whatwg.org/#host-state Bug: 71360761 Test: vogar frameworks/base/core/tests/coretests/src/android/net/UriTest.java (on NYC branch) Test: cts -m CtsNetTestCases (on NYC branch) Change-Id: Id53f7054d1be8d59bbcc7e219159e59a2425106e (cherry picked from commit fa3afbd0e7a9a0d8fc8c55ceefdb4ddf9d0115af)
author: Adam Vartanian <flooey@google.com> 2018-01-31 11:05:10 +0000
committer: android-build-team Robot <android-build-team-robot@google.com> 2018-03-16 21:38:22 +0000
commit: 38103a8813f2650b6c4278aefb45dc519ece0739 (patch)
tree: 72fd4b5c5b4d9b6b155f66dab6abc4897a9b5ea0
parent: e5c98b1380425693f27be79bd10e6947eb101816 (diff)
download: base-38103a8813f2650b6c4278aefb45dc519ece0739.tar.gz
2 files changed, 14 insertions, 0 deletions
diff --git a/core/java/android/net/Uri.java b/core/java/android/net/Uri.java
index 32a644856fd8..41fa062c53dc 100644
--- a/core/java/android/net/Uri.java
+++ b/core/java/android/net/Uri.java
@@ -719,6 +719,10 @@ public abstract class Uri implements Parcelable, Comparable<Uri> {
                 LOOP: while (end < length) {
                     switch (uriString.charAt(end)) {
                         case '/': // Start of path
+                        case '\\':// Start of path
+                          // Per http://url.spec.whatwg.org/#host-state, the \ character
+                          // is treated as if it were a / character when encountered in a
+                          // host
                         case '?': // Start of query
                         case '#': // Start of fragment
                             break LOOP;
@@ -757,6 +761,10 @@ public abstract class Uri implements Parcelable, Comparable<Uri> {
                         case '#': // Start of fragment
                             return ""; // Empty path.
                         case '/': // Start of path!
+                        case '\\':// Start of path!
+                          // Per http://url.spec.whatwg.org/#host-state, the \ character
+                          // is treated as if it were a / character when encountered in a
+                          // host
                             break LOOP;
                     }
                     pathStart++;
diff --git a/core/tests/coretests/src/android/net/UriTest.java b/core/tests/coretests/src/android/net/UriTest.java
index 27b7f9e185bb..ea0347d67ad7 100644
--- a/core/tests/coretests/src/android/net/UriTest.java
+++ b/core/tests/coretests/src/android/net/UriTest.java
@@ -192,6 +192,12 @@ public class UriTest extends TestCase {
         assertEquals("a:a@example.com:a@example2.com", uri.getAuthority());
         assertEquals("example2.com", uri.getHost());
         assertEquals(-1, uri.getPort());
+        assertEquals("/path", uri.getPath());
+
+        uri = Uri.parse("http://a.foo.com\\.example.com/path");
+        assertEquals("a.foo.com", uri.getHost());
+        assertEquals(-1, uri.getPort());
+        assertEquals("\\.example.com/path", uri.getPath());
     }
 
     @SmallTest
author	Adam Vartanian <flooey@google.com>	2018-01-31 11:05:10 +0000
committer	android-build-team Robot <android-build-team-robot@google.com>	2018-03-16 21:38:22 +0000
commit	38103a8813f2650b6c4278aefb45dc519ece0739 (patch)
tree	72fd4b5c5b4d9b6b155f66dab6abc4897a9b5ea0
parent	e5c98b1380425693f27be79bd10e6947eb101816 (diff)
download	base-38103a8813f2650b6c4278aefb45dc519ece0739.tar.gz