diff options
author | Adam Vartanian <flooey@google.com> | 2017-11-07 12:22:23 +0000 |
---|---|---|
committer | Andreas Blaesius <skate4life@gmx.de> | 2018-01-14 13:05:48 +0100 |
commit | 34413e9c5deeada859fdb10b223f7c9884a3a7f4 (patch) | |
tree | 183adbc4592e5314134a31bfea2ae8f0a2852f2c | |
parent | 3ca7066a2e35d53bcb15d27df469deca64d5b04f (diff) | |
download | frameworks_base-34413e9c5deeada859fdb10b223f7c9884a3a7f4.tar.gz frameworks_base-34413e9c5deeada859fdb10b223f7c9884a3a7f4.tar.bz2 frameworks_base-34413e9c5deeada859fdb10b223f7c9884a3a7f4.zip |
Adjust Uri host parsing to use last instead of first @.
Malformed authority segments can currently cause the parser to produce
a hostname that doesn't match the hostname produced by the WHATWG URL
parsing algorithm* used by browsers, which means that a URL could be seen
as having a "safe" host when checked by an Android app but actually visit
a different host when passed to a browser. The WHATWG URL parsing
algorithm always produces a hostname based on the last @ in the authority
segment, so we do the same.
* https://url.spec.whatwg.org/#authority-state resets the "buffer", which
is being used to build up the host name, each time an @ is found, so it
has the effect of using the content between the final @ and the end
of the authority section as the hostname.
Bug: 68341964
Test: vogar android.net.UriTest (on NYC branch)
Test: cts -m CtsNetTestCases (on NYC branch)
Change-Id: Idca79f35a886de042c94d6ab66787c2e98ac8376
(cherry picked from commit cd6228dd377b2a0caa02a1e6df92f3d9ae702a95)
CVE-2017-13176
-rw-r--r-- | core/java/android/net/Uri.java | 6 | ||||
-rw-r--r-- | core/tests/coretests/src/android/net/UriTest.java | 5 |
2 files changed, 8 insertions, 3 deletions
diff --git a/core/java/android/net/Uri.java b/core/java/android/net/Uri.java index 4a8dfbc5aef..06bb07b7629 100644 --- a/core/java/android/net/Uri.java +++ b/core/java/android/net/Uri.java @@ -1065,7 +1065,7 @@ public abstract class Uri implements Parcelable, Comparable<Uri> { return null; } - int end = authority.indexOf('@'); + int end = authority.lastIndexOf('@'); return end == NOT_FOUND ? null : authority.substring(0, end); } @@ -1089,7 +1089,7 @@ public abstract class Uri implements Parcelable, Comparable<Uri> { } // Parse out user info and then port. - int userInfoSeparator = authority.indexOf('@'); + int userInfoSeparator = authority.lastIndexOf('@'); int portSeparator = authority.indexOf(':', userInfoSeparator); String encodedHost = portSeparator == NOT_FOUND @@ -1115,7 +1115,7 @@ public abstract class Uri implements Parcelable, Comparable<Uri> { // Make sure we look for the port separtor *after* the user info // separator. We have URLs with a ':' in the user info. - int userInfoSeparator = authority.indexOf('@'); + int userInfoSeparator = authority.lastIndexOf('@'); int portSeparator = authority.indexOf(':', userInfoSeparator); if (portSeparator == NOT_FOUND) { diff --git a/core/tests/coretests/src/android/net/UriTest.java b/core/tests/coretests/src/android/net/UriTest.java index 6fa28b1ccda..27b7f9e185b 100644 --- a/core/tests/coretests/src/android/net/UriTest.java +++ b/core/tests/coretests/src/android/net/UriTest.java @@ -187,6 +187,11 @@ public class UriTest extends TestCase { uri = Uri.parse("http://localhost"); assertEquals("localhost", uri.getHost()); assertEquals(-1, uri.getPort()); + + uri = Uri.parse("http://a:a@example.com:a@example2.com/path"); + assertEquals("a:a@example.com:a@example2.com", uri.getAuthority()); + assertEquals("example2.com", uri.getHost()); + assertEquals(-1, uri.getPort()); } @SmallTest |