Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 3f24a1d9 authored by Alex Klyubin's avatar Alex Klyubin
Browse files

Cleanse HTTP, HTTPS, and FTP URLs in Uri.toSafeString. 

This makes the hidden API android.net.Uri.toSafeString omit most parts
of HTTP, HTTPS, and FTP URLs to avoid leaking anything unsafe. Only
the host and port are retained for these URLs.

Bug: 19215516
Change-Id: I2e9e33d9afaa9de5dd07a40532d56f0a2179f62a
parent c461452e

core/java/android/net/Uri.java

+5 −0
Original line number Diff line number Diff line
@@ -384,6 +384,11 @@ public abstract class Uri implements Parcelable, Comparable<Uri> { 
                    }

                }

                return builder.toString();

            } else if (scheme.equalsIgnoreCase("http") || scheme.equalsIgnoreCase("https")

                    || scheme.equalsIgnoreCase("ftp")) {

                ssp = "//" + ((getHost() != null) ? getHost() : "")

                        + ((getPort() != -1) ? (":" + getPort()) : "")

                        + "/...";

            }

        }

        // Not a sensitive scheme, but let's still be conservative about

core/tests/coretests/src/android/net/UriTest.java

+52 −0
Original line number Diff line number Diff line
@@ -804,4 +804,56 @@ public class UriTest extends TestCase { 
        assertFalse(Uri.parse("content://com.example/path/path").isPathPrefixMatch(

                Uri.parse("content://com.example/path%2Fpath")));

    }



    public void testToSafeString() {

        checkToSafeString("tel:xxxxxx", "tel:Google");

        checkToSafeString("tel:xxxxxxxxxx", "tel:1234567890");

        checkToSafeString("tEl:xxx.xxx-xxxx", "tEl:123.456-7890");



        checkToSafeString("sms:xxxxxx", "sms:123abc");

        checkToSafeString("smS:xxx.xxx-xxxx", "smS:123.456-7890");



        checkToSafeString("smsto:xxxxxx", "smsto:123abc");

        checkToSafeString("SMSTo:xxx.xxx-xxxx", "SMSTo:123.456-7890");



        checkToSafeString("mailto:xxxxxxx@xxxxxxx.xxx", "mailto:android@android.com");

        checkToSafeString("Mailto:xxxxxxx@xxxxxxx.xxxxxxxxxx",

                "Mailto:android@android.com/secret");



        checkToSafeString("sip:xxxxxxx@xxxxxxx.xxxxxxxx", "sip:android@android.com:1234");

        checkToSafeString("sIp:xxxxxxx@xxxxxxx.xxx", "sIp:android@android.com");



        checkToSafeString("http://www.android.com/...", "http://www.android.com");

        checkToSafeString("HTTP://www.android.com/...", "HTTP://www.android.com");

        checkToSafeString("http://www.android.com/...", "http://www.android.com/");

        checkToSafeString("http://www.android.com/...", "http://www.android.com/secretUrl?param");

        checkToSafeString("http://www.android.com/...",

                "http://user:pwd@www.android.com/secretUrl?param");

        checkToSafeString("http://www.android.com/...",

                "http://user@www.android.com/secretUrl?param");

        checkToSafeString("http://www.android.com/...", "http://www.android.com/secretUrl?param");

        checkToSafeString("http:///...", "http:///path?param");

        checkToSafeString("http:///...", "http://");

        checkToSafeString("http://:12345/...", "http://:12345/");



        checkToSafeString("https://www.android.com/...", "https://www.android.com/secretUrl?param");

        checkToSafeString("https://www.android.com:8443/...",

                "https://user:pwd@www.android.com:8443/secretUrl?param");

        checkToSafeString("https://www.android.com/...", "https://user:pwd@www.android.com");

        checkToSafeString("Https://www.android.com/...", "Https://user:pwd@www.android.com");



        checkToSafeString("ftp://ftp.android.com/...", "ftp://ftp.android.com/");

        checkToSafeString("ftP://ftp.android.com/...", "ftP://anonymous@ftp.android.com/");

        checkToSafeString("ftp://ftp.android.com:2121/...",

                "ftp://root:love@ftp.android.com:2121/");



        checkToSafeString("unsupported://ajkakjah/askdha/secret?secret",

                "unsupported://ajkakjah/askdha/secret?secret");

        checkToSafeString("unsupported:ajkakjah/askdha/secret?secret",

                "unsupported:ajkakjah/askdha/secret?secret");

    }



    private void checkToSafeString(String expectedSafeString, String original) {

        assertEquals(expectedSafeString, Uri.parse(original).toSafeString());

    }

}