diff options
author | Adam Vartanian <flooey@google.com> | 2018-01-31 11:05:10 +0000 |
---|---|---|
committer | android-build-team Robot <android-build-team-robot@google.com> | 2018-02-03 00:11:08 +0000 |
commit | 90c6d6e028359e9b0e7d10953cab13e8ad5cc651 (patch) | |
tree | a0b843c95dca0667cd6c42afc76c3a95de2e49a0 | |
parent | 826fec9d42112c73bee3dd0fd6c46653f6ce270e (diff) | |
download | base-90c6d6e028359e9b0e7d10953cab13e8ad5cc651.tar.gz |
Adjust URI host parsing to stop on \ character.
The WHATWG URL parsing algorithm [1] used by browsers says that for
"special" URL schemes (which is basically all commonly-used
hierarchical schemes, including http, https, ftp, and file), the host
portion ends if a \ character is seen, whereas this class previously
continued to consider characters part of the hostname. This meant
that a malicious URL could be seen as having a "safe" host when viewed
by an app but navigate to a different host when passed to a browser.
[1] https://url.spec.whatwg.org/#host-state
Bug: 71360761
Test: vogar frameworks/base/core/tests/coretests/src/android/net/UriTest.java (on NYC branch)
Test: cts -m CtsNetTestCases (on NYC branch)
Change-Id: Id53f7054d1be8d59bbcc7e219159e59a2425106e
(cherry picked from commit fa3afbd0e7a9a0d8fc8c55ceefdb4ddf9d0115af)
-rw-r--r-- | core/java/android/net/Uri.java | 8 | ||||
-rw-r--r-- | core/tests/coretests/src/android/net/UriTest.java | 6 |
2 files changed, 14 insertions, 0 deletions
diff --git a/core/java/android/net/Uri.java b/core/java/android/net/Uri.java index 9edcc0e9b8d4..5ca3a4106a2d 100644 --- a/core/java/android/net/Uri.java +++ b/core/java/android/net/Uri.java @@ -720,6 +720,10 @@ public abstract class Uri implements Parcelable, Comparable<Uri> { LOOP: while (end < length) { switch (uriString.charAt(end)) { case '/': // Start of path + case '\\':// Start of path + // Per http://url.spec.whatwg.org/#host-state, the \ character + // is treated as if it were a / character when encountered in a + // host case '?': // Start of query case '#': // Start of fragment break LOOP; @@ -758,6 +762,10 @@ public abstract class Uri implements Parcelable, Comparable<Uri> { case '#': // Start of fragment return ""; // Empty path. case '/': // Start of path! + case '\\':// Start of path! + // Per http://url.spec.whatwg.org/#host-state, the \ character + // is treated as if it were a / character when encountered in a + // host break LOOP; } pathStart++; diff --git a/core/tests/coretests/src/android/net/UriTest.java b/core/tests/coretests/src/android/net/UriTest.java index 27b7f9e185bb..ea0347d67ad7 100644 --- a/core/tests/coretests/src/android/net/UriTest.java +++ b/core/tests/coretests/src/android/net/UriTest.java @@ -192,6 +192,12 @@ public class UriTest extends TestCase { assertEquals("a:a@example.com:a@example2.com", uri.getAuthority()); assertEquals("example2.com", uri.getHost()); assertEquals(-1, uri.getPort()); + assertEquals("/path", uri.getPath()); + + uri = Uri.parse("http://a.foo.com\\.example.com/path"); + assertEquals("a.foo.com", uri.getHost()); + assertEquals(-1, uri.getPort()); + assertEquals("\\.example.com/path", uri.getPath()); } @SmallTest |