Google Git
Sign in
android / platform / libcore / d1e27af^! / .
commitd1e27af0a90da8b9c416144839a2dabc5c374cb2[log] [tgz]
authorYi Kong <yikong@google.com>Thu Jan 19 11:28:29 2017 +0100
committergitbuildkicker <android-build@google.com>Tue Feb 21 17:19:26 2017 -0800
tree831257e3f270b191845621abefac272681f4e615
parent6ff18ae2065bcb20c131c5723cc8869f62d6ece4 [diff]
Pull upstream fix for CVE-2016-5552

to replace our local change that is essentially equivalent logic.

The upstream fix additionally fixes a flaw which if there is more
than one @ in the authority portion, then user and host are set to null
(ignored as malformed).

Upstream change:
  Merge

  http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/1e8c18ddcab1

Test: libcore.java.net.URLTest#testMultipleUserField
Test: CtsLibcoreTestCases
Bug: 33351987
Change-Id: If5ab229f951c872aecb34834f0a52153f3f0fa26
(cherry picked from commit 2e3689a5019e781fb361cc67982926beaaa969c2)
(cherry picked from commit 7247f6a70e89efb4696aaaffaf7a0325604a6e06)

diff --git a/luni/src/test/java/libcore/java/net/URLTest.java b/luni/src/test/java/libcore/java/net/URLTest.java
index 629015f..7a323af 100644
--- a/luni/src/test/java/libcore/java/net/URLTest.java
+++ b/luni/src/test/java/libcore/java/net/URLTest.java

@@ -779,4 +779,11 @@
         assertEquals(host, url.getHost());
         assertEquals(fragment, url.getRef());
     }
+
+    // http://b/33351987
+    public void testMultipleUserField() throws Exception {
+        final String host = "http://multiple@users@url.com";
+        URL url = new URL(host);
+        assertNull(url.getUserInfo());
+    }
 }

diff --git a/ojluni/src/main/java/java/net/URLStreamHandler.java b/ojluni/src/main/java/java/net/URLStreamHandler.java
index ddea036..0892d67 100755
--- a/ojluni/src/main/java/java/net/URLStreamHandler.java
+++ b/ojluni/src/main/java/java/net/URLStreamHandler.java

@@ -169,26 +169,24 @@
             (spec.charAt(start + 1) == '/')) {
             start += 2;
             i = spec.indexOf('/', start);
-            if (i < 0) {
+            if (i < 0 || i > limit) {
                 i = spec.indexOf('?', start);
-                if (i < 0)
+                if (i < 0 || i > limit)
                     i = limit;
             }
 
-            // ----- BEGIN android -----
-            // i may become greater than limit
-            // b/31858037
-            if (i > limit) {
-                i = limit;
-            }
-            // ----- END android -----
-
             host = authority = spec.substring(start, i);
 
             int ind = authority.indexOf('@');
             if (ind != -1) {
-                userInfo = authority.substring(0, ind);
-                host = authority.substring(ind+1);
+                if (ind != authority.lastIndexOf('@')) {
+                    // more than one '@' in authority. This is not server based
+                    userInfo = null;
+                    host = null;
+                } else {
+                    userInfo = authority.substring(0, ind);
+                    host = authority.substring(ind+1);
+                }
             } else {
                 userInfo = null;
             }