Android CTS 5.1 Release 28 (4607396)
-----BEGIN PGP SIGNATURE-----

iF0EABECAB0WIQRDQNE1cO+UXoOBCWTorT+BmrEOeAUCWqcFnQAKCRDorT+BmrEO
eDt4AJ9Lpizld8ryIGZwjsriwyBkDs6BwQCggJCP2i1idNXXTc+TIlvxlsqx8s8=
=HFT5
-----END PGP SIGNATURE-----
Patch Exchange Autodiscover Code for Security Issue

The change removes the unauthenticated GET fallback attempt for the
Autodiscover process. Given that the Autodiscover code is functionally broken
and this fallback attempt wouldn't succeed unless an attacker faked a success
response, a good way to patch the security issue is to disable the attempt.

The change also updates the request content type, disables automatic
redirects, and allows for parsing namespaces to help the first two attempts
succeed. As this is not meant to be a functional patch but a security patch,
there are no further changes to the Autodiscover code.

BUG: 26488455
Change-Id: I0fc93c95e755c8fa60e94da5bec4b3b4c49cdfc1
2 files changed