Verify inputs to PAC resolving.

This verifies both the URL and host are valid before they are passed to the
javascript for PAC.  This is to protect against injection attacks.

Bug: 10230771
Change-Id: Ib1996181971a49ccd390f181ec3848124801e4d5

1 files changed, 15 insertions, 1 deletions

diff --git a/packages/services/PacProcessor/src/com/android/pacprocessor/PacService.java b/packages/services/PacProcessor/src/com/android/pacprocessor/PacService.java
index 7e760251ac8a..c6b76f173ff3 100644
--- a/packages/services/PacProcessor/src/com/android/pacprocessor/PacService.java
+++ b/packages/services/PacProcessor/src/com/android/pacprocessor/PacService.java
@@ -25,6 +25,9 @@ import android.util.Log;
 
 import com.android.net.IProxyService;
 
+import java.net.MalformedURLException;
+import java.net.URL;
+
 public class PacService extends Service {
     private static final String TAG = "PacService";
 
@@ -68,7 +71,18 @@ public class PacService extends Service {
 
         @Override
         public String resolvePacFile(String host, String url) throws RemoteException {
-            return mPacNative.makeProxyRequest(url, host);
+            try {
+                // Check for characters that could be used for an injection attack.
+                new URL(url);
+                for (char c : host.toCharArray()) {
+                    if (!Character.isLetterOrDigit(c) && (c != '.') && (c != '-')) {
+                        throw new RemoteException("Invalid host was passed");
+                    }
+                }
+                return mPacNative.makeProxyRequest(url, host);
+            } catch (MalformedURLException e) {
+                throw new RemoteException("Invalid URL was passed");
+            }
         }
 
         @Override