Adjust URI host parsing to stop on \ character.

The WHATWG URL parsing algorithm [1] used by browsers says that for "special" URL schemes (which is basically all commonly-used hierarchical schemes, including http, https, ftp, and file), the host portion ends if a \ character is seen, whereas this class previously continued to consider characters part of the hostname. This meant that a malicious URL could be seen as having a "safe" host when viewed by an app but navigate to a different host when passed to a browser. [1] https://url.spec.whatwg.org/#host-state Bug: 71360761 Test: vogar frameworks/base/core/tests/coretests/src/android/net/UriTest.java (on NYC branch) Test: cts -m CtsNetTestCases (on NYC branch) Change-Id: Id53f7054d1be8d59bbcc7e219159e59a2425106e
2018-01-31 11:05:10 +00:00
parent 6a9c7c4814
commit fa3afbd0e7
2 changed files with 14 additions and 0 deletions
--- a/core/java/android/net/Uri.java
+++ b/core/java/android/net/Uri.java
@@ -714,6 +714,10 @@ public abstract class Uri implements Parcelable, Comparable<Uri> {
                LOOP: while (end < length) {
                    switch (uriString.charAt(end)) {
                        case '/': // Start of path
+                        case '\\':// Start of path
+                          // Per http://url.spec.whatwg.org/#host-state, the \ character
+                          // is treated as if it were a / character when encountered in a
+                          // host
                        case '?': // Start of query
                        case '#': // Start of fragment
                            break LOOP;
@@ -752,6 +756,10 @@ public abstract class Uri implements Parcelable, Comparable<Uri> {
                        case '#': // Start of fragment
                            return ""; // Empty path.
                        case '/': // Start of path!
+                        case '\\':// Start of path!
+                          // Per http://url.spec.whatwg.org/#host-state, the \ character
+                          // is treated as if it were a / character when encountered in a
+                          // host
                            break LOOP;
                    }
                    pathStart++;
--- a/core/tests/coretests/src/android/net/UriTest.java
+++ b/core/tests/coretests/src/android/net/UriTest.java
@@ -192,6 +192,12 @@ public class UriTest extends TestCase {
        assertEquals("a:a@example.com:a@example2.com", uri.getAuthority());
        assertEquals("example2.com", uri.getHost());
        assertEquals(-1, uri.getPort());
+        assertEquals("/path", uri.getPath());
+
+        uri = Uri.parse("http://a.foo.com\\.example.com/path");
+        assertEquals("a.foo.com", uri.getHost());
+        assertEquals(-1, uri.getPort());
+        assertEquals("\\.example.com/path", uri.getPath());
    }

    @SmallTest