Don't pass URL path and username/password to PAC scripts The URL path could contain credentials that apps don't want exposed to a potentially malicious PAC script. Bug: 27593919 Change-Id: I4bb0362fc91f70ad47c4c7453d77d6f9a1e8eeed

commit: 5c3aba200be469f7f69bbd2eb64e573a0560fcfc [log] [tgz]
author: Paul Jensen <pauljensen@google.com> Fri Apr 15 10:41:13 2016 -0400
committer: Feng Yu <feny@google.com> Tue May 24 23:28:30 2016 +0000
tree: ab885722088b950e1aa66327451a704ed621bb7d
parent: 058fe8ea6f9c70bac9fc63d1da8a88677d9fd946 [diff]
diff --git a/core/java/android/net/PacProxySelector.java b/core/java/android/net/PacProxySelector.java
index 9bdf4f6..85bf79a 100644
--- a/core/java/android/net/PacProxySelector.java
+++ b/core/java/android/net/PacProxySelector.java

@@ -30,6 +30,7 @@
 import java.net.ProxySelector;
 import java.net.SocketAddress;
 import java.net.URI;
+import java.net.URISyntaxException;
 import java.util.List;
 
 /**
@@ -67,7 +68,15 @@
         String response = null;
         String urlString;
         try {
+            // Strip path and username/password from URI so it's not visible to PAC script. The
+            // path often contains credentials the app does not want exposed to a potentially
+            // malicious PAC script.
+            if (!"http".equalsIgnoreCase(uri.getScheme())) {
+                uri = new URI(uri.getScheme(), null, uri.getHost(), uri.getPort(), "/", null, null);
+            }
             urlString = uri.toURL().toString();
+        } catch (URISyntaxException e) {
+            urlString = uri.getHost();
         } catch (MalformedURLException e) {
             urlString = uri.getHost();
         }
commit	5c3aba200be469f7f69bbd2eb64e573a0560fcfc	[log] [tgz]
author	Paul Jensen <pauljensen@google.com>	Fri Apr 15 10:41:13 2016 -0400
committer	Feng Yu <feny@google.com>	Tue May 24 23:28:30 2016 +0000
tree	ab885722088b950e1aa66327451a704ed621bb7d
parent	058fe8ea6f9c70bac9fc63d1da8a88677d9fd946 [diff]