Pull upstream fix for CVE-2016-5552
to replace our local change that is essentially equivalent logic.
The upstream fix additionally fixes a flaw which if there is more
than one @ in the authority portion, then user and host are set to null
(ignored as malformed).
Upstream change:
Merge
http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/1e8c18ddcab1
Test: libcore.java.net.URLTest#testMultipleUserField
Test: CtsLibcoreTestCases
Bug: 33351987
Change-Id: If5ab229f951c872aecb34834f0a52153f3f0fa26
(cherry picked from commit 2e3689a5019e781fb361cc67982926beaaa969c2)
(cherry picked from commit 7247f6a70e89efb4696aaaffaf7a0325604a6e06)
diff --git a/luni/src/test/java/libcore/java/net/URLTest.java b/luni/src/test/java/libcore/java/net/URLTest.java
index 629015f..7a323af 100644
--- a/luni/src/test/java/libcore/java/net/URLTest.java
+++ b/luni/src/test/java/libcore/java/net/URLTest.java
@@ -779,4 +779,11 @@
assertEquals(host, url.getHost());
assertEquals(fragment, url.getRef());
}
+
+ // http://b/33351987
+ public void testMultipleUserField() throws Exception {
+ final String host = "http://multiple@users@url.com";
+ URL url = new URL(host);
+ assertNull(url.getUserInfo());
+ }
}
diff --git a/ojluni/src/main/java/java/net/URLStreamHandler.java b/ojluni/src/main/java/java/net/URLStreamHandler.java
index ddea036..0892d67 100755
--- a/ojluni/src/main/java/java/net/URLStreamHandler.java
+++ b/ojluni/src/main/java/java/net/URLStreamHandler.java
@@ -169,26 +169,24 @@
(spec.charAt(start + 1) == '/')) {
start += 2;
i = spec.indexOf('/', start);
- if (i < 0) {
+ if (i < 0 || i > limit) {
i = spec.indexOf('?', start);
- if (i < 0)
+ if (i < 0 || i > limit)
i = limit;
}
- // ----- BEGIN android -----
- // i may become greater than limit
- // b/31858037
- if (i > limit) {
- i = limit;
- }
- // ----- END android -----
-
host = authority = spec.substring(start, i);
int ind = authority.indexOf('@');
if (ind != -1) {
- userInfo = authority.substring(0, ind);
- host = authority.substring(ind+1);
+ if (ind != authority.lastIndexOf('@')) {
+ // more than one '@' in authority. This is not server based
+ userInfo = null;
+ host = null;
+ } else {
+ userInfo = authority.substring(0, ind);
+ host = authority.substring(ind+1);
+ }
} else {
userInfo = null;
}