diff options
| author | Alex Klyubin <klyubin@google.com> | 2015-04-01 10:59:29 -0700 |
|---|---|---|
| committer | Alex Klyubin <klyubin@google.com> | 2015-04-01 13:09:22 -0700 |
| commit | 3f24a1d94a42762c245a32272c797250a804cfc3 (patch) | |
| tree | 7ece6f888ca034f225ef54513edc13c3f7200935 | |
| parent | c461452eb78867032092b2fce14c2fcb3e7ab34e (diff) | |
| download | frameworks_base-3f24a1d94a42762c245a32272c797250a804cfc3.zip frameworks_base-3f24a1d94a42762c245a32272c797250a804cfc3.tar.gz frameworks_base-3f24a1d94a42762c245a32272c797250a804cfc3.tar.bz2 | |
Cleanse HTTP, HTTPS, and FTP URLs in Uri.toSafeString.
This makes the hidden API android.net.Uri.toSafeString omit most parts
of HTTP, HTTPS, and FTP URLs to avoid leaking anything unsafe. Only
the host and port are retained for these URLs.
Bug: 19215516
Change-Id: I2e9e33d9afaa9de5dd07a40532d56f0a2179f62a
| -rw-r--r-- | core/java/android/net/Uri.java | 5 | ||||
| -rw-r--r-- | core/tests/coretests/src/android/net/UriTest.java | 52 |
2 files changed, 57 insertions, 0 deletions
diff --git a/core/java/android/net/Uri.java b/core/java/android/net/Uri.java index 2099c3f..fb2f445 100644 --- a/core/java/android/net/Uri.java +++ b/core/java/android/net/Uri.java @@ -384,6 +384,11 @@ public abstract class Uri implements Parcelable, Comparable<Uri> { } } return builder.toString(); + } else if (scheme.equalsIgnoreCase("http") || scheme.equalsIgnoreCase("https") + || scheme.equalsIgnoreCase("ftp")) { + ssp = "//" + ((getHost() != null) ? getHost() : "") + + ((getPort() != -1) ? (":" + getPort()) : "") + + "/..."; } } // Not a sensitive scheme, but let's still be conservative about diff --git a/core/tests/coretests/src/android/net/UriTest.java b/core/tests/coretests/src/android/net/UriTest.java index cd45017..6fa28b1 100644 --- a/core/tests/coretests/src/android/net/UriTest.java +++ b/core/tests/coretests/src/android/net/UriTest.java @@ -804,4 +804,56 @@ public class UriTest extends TestCase { assertFalse(Uri.parse("content://com.example/path/path").isPathPrefixMatch( Uri.parse("content://com.example/path%2Fpath"))); } + + public void testToSafeString() { + checkToSafeString("tel:xxxxxx", "tel:Google"); + checkToSafeString("tel:xxxxxxxxxx", "tel:1234567890"); + checkToSafeString("tEl:xxx.xxx-xxxx", "tEl:123.456-7890"); + + checkToSafeString("sms:xxxxxx", "sms:123abc"); + checkToSafeString("smS:xxx.xxx-xxxx", "smS:123.456-7890"); + + checkToSafeString("smsto:xxxxxx", "smsto:123abc"); + checkToSafeString("SMSTo:xxx.xxx-xxxx", "SMSTo:123.456-7890"); + + checkToSafeString("mailto:xxxxxxx@xxxxxxx.xxx", "mailto:android@android.com"); + checkToSafeString("Mailto:xxxxxxx@xxxxxxx.xxxxxxxxxx", + "Mailto:android@android.com/secret"); + + checkToSafeString("sip:xxxxxxx@xxxxxxx.xxxxxxxx", "sip:android@android.com:1234"); + checkToSafeString("sIp:xxxxxxx@xxxxxxx.xxx", "sIp:android@android.com"); + + checkToSafeString("http://www.android.com/...", "http://www.android.com"); + checkToSafeString("HTTP://www.android.com/...", "HTTP://www.android.com"); + checkToSafeString("http://www.android.com/...", "http://www.android.com/"); + checkToSafeString("http://www.android.com/...", "http://www.android.com/secretUrl?param"); + checkToSafeString("http://www.android.com/...", + "http://user:pwd@www.android.com/secretUrl?param"); + checkToSafeString("http://www.android.com/...", + "http://user@www.android.com/secretUrl?param"); + checkToSafeString("http://www.android.com/...", "http://www.android.com/secretUrl?param"); + checkToSafeString("http:///...", "http:///path?param"); + checkToSafeString("http:///...", "http://"); + checkToSafeString("http://:12345/...", "http://:12345/"); + + checkToSafeString("https://www.android.com/...", "https://www.android.com/secretUrl?param"); + checkToSafeString("https://www.android.com:8443/...", + "https://user:pwd@www.android.com:8443/secretUrl?param"); + checkToSafeString("https://www.android.com/...", "https://user:pwd@www.android.com"); + checkToSafeString("Https://www.android.com/...", "Https://user:pwd@www.android.com"); + + checkToSafeString("ftp://ftp.android.com/...", "ftp://ftp.android.com/"); + checkToSafeString("ftP://ftp.android.com/...", "ftP://anonymous@ftp.android.com/"); + checkToSafeString("ftp://ftp.android.com:2121/...", + "ftp://root:love@ftp.android.com:2121/"); + + checkToSafeString("unsupported://ajkakjah/askdha/secret?secret", + "unsupported://ajkakjah/askdha/secret?secret"); + checkToSafeString("unsupported:ajkakjah/askdha/secret?secret", + "unsupported:ajkakjah/askdha/secret?secret"); + } + + private void checkToSafeString(String expectedSafeString, String original) { + assertEquals(expectedSafeString, Uri.parse(original).toSafeString()); + } } |