Don't pass URL path and username/password to PAC scripts The URL path could contain credentials that apps don't want exposed to a potentially malicious PAC script. Bug: 27593919 Change-Id: I4bb0362fc91f70ad47c4c7453d77d6f9a1e8eeed

commit: ec2fc50d202d975447211012997fe425496c849c [log] [tgz]
author: Paul Jensen <pauljensen@google.com> Fri Apr 15 10:41:13 2016 -0400
committer: The Android Automerger <android-build@google.com> Fri May 27 11:31:17 2016 -0700
tree: 30a12a2920d11be5da2575d9c25f713744926f86
parent: e83f0f6a5a6f35323f5367f99c8e287c440f33f5 [diff]
diff --git a/core/java/android/net/PacProxySelector.java b/core/java/android/net/PacProxySelector.java index 9bdf4f6..85bf79a 100644 --- a/core/java/android/net/PacProxySelector.java +++ b/core/java/android/net/PacProxySelector.java 
@@ -30,6 +30,7 @@  import java.net.ProxySelector;  import java.net.SocketAddress;  import java.net.URI; +import java.net.URISyntaxException;  import java.util.List;    /** @@ -67,7 +68,15 @@  String response = null;  String urlString;  try { + // Strip path and username/password from URI so it's not visible to PAC script. The + // path often contains credentials the app does not want exposed to a potentially + // malicious PAC script. + if (!"http".equalsIgnoreCase(uri.getScheme())) { + uri = new URI(uri.getScheme(), null, uri.getHost(), uri.getPort(), "/", null, null); + }  urlString = uri.toURL().toString(); + } catch (URISyntaxException e) { + urlString = uri.getHost();  } catch (MalformedURLException e) {  urlString = uri.getHost();  }
commit	ec2fc50d202d975447211012997fe425496c849c	[log] [tgz]
author	Paul Jensen <pauljensen@google.com>	Fri Apr 15 10:41:13 2016 -0400
committer	The Android Automerger <android-build@google.com>	Fri May 27 11:31:17 2016 -0700
tree	30a12a2920d11be5da2575d9c25f713744926f86
parent	e83f0f6a5a6f35323f5367f99c8e287c440f33f5 [diff]