commit | 92a7b90bca984fc219d5547c7196d1db3e003342 | [log] [tgz] |
---|---|---|
author | Przemyslaw Szczepaniak <pszczepaniak@google.com> | Mon Mar 27 13:19:35 2017 +0100 |
committer | android-build-team Robot <android-build-team-robot@google.com> | Thu Apr 20 22:36:21 2017 +0000 |
tree | ebcd9749667c2c644244cab0937da5475ec7fa64 | |
parent | e0874054acea0e164c4464d3bb82302df50e8e5c [diff] |
Reject ftp URLConnection containing /r/n in user info. Change-Id: Iac06b3cc9a8a184f918d817d266eac55699d13bc
diff --git a/ojluni/src/main/java/sun/net/www/protocol/ftp/FtpURLConnection.java b/ojluni/src/main/java/sun/net/www/protocol/ftp/FtpURLConnection.java index e2b7fa1..fd96343 100755 --- a/ojluni/src/main/java/sun/net/www/protocol/ftp/FtpURLConnection.java +++ b/ojluni/src/main/java/sun/net/www/protocol/ftp/FtpURLConnection.java
@@ -184,6 +184,12 @@ } if (userInfo != null) { // get the user and password + // Android-changed: Added a test for CR/LF presence in the userInfo + if (userInfo.indexOf("\r") != -1 || userInfo.indexOf("\n") != -1) { + throw new IOException("<CR> and/or <LF> characters in username and password are" + + " not permitted"); + } + int delimiter = userInfo.indexOf(':'); if (delimiter == -1) { user = ParseUtil.decode(userInfo);