Merge "Sanitized uri scheme by removing scheme delimiter" into main

c286eecc · Treehugger Robot · Android (Google) Code Review · b310a0e0 · 737bc87e · c286eecc
Commit c286eecc authored 10 months ago by Treehugger Robot Committed by Android (Google) Code Review 10 months ago
--- a/core/java/android/net/Uri.java
+++ b/core/java/android/net/Uri.java
@@ -1387,7 +1387,11 @@ public abstract class Uri implements Parcelable, Comparable<Uri> {
         * @param scheme name or {@code null} if this is a relative Uri
         */
        public Builder scheme(String scheme) {
-            this.scheme = scheme;
+            if (scheme != null) {
+                this.scheme = scheme.replaceAll("://", "");
+            } else {
+                this.scheme = null;
+            }
            return this;
        }


--- a/core/tests/coretests/src/android/net/UriTest.java
+++ b/core/tests/coretests/src/android/net/UriTest.java
@@ -18,6 +18,7 @@ package android.net;

 import android.content.ContentUris;
 import android.os.Parcel;
+import android.platform.test.annotations.AsbSecurityTest;

 import androidx.test.filters.SmallTest;

@@ -86,6 +87,16 @@ public class UriTest extends TestCase {
        assertNull(u.getHost());
    }

+    @AsbSecurityTest(cveBugId = 261721900)
+    @SmallTest
+    public void testSchemeSanitization() {
+        Uri uri = new Uri.Builder()
+                .scheme("http://https://evil.com:/te:st/")
+                .authority("google.com").path("one/way").build();
+        assertEquals("httphttpsevil.com:/te:st/", uri.getScheme());
+        assertEquals("httphttpsevil.com:/te:st/://google.com/one/way", uri.toString());
+    }
+
    @SmallTest
    public void testStringUri() {
        assertEquals("bob lee",