1 // Copyright 2015 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "components/url_formatter/url_formatter.h"
6
7 #include <algorithm>
8 #include <utility>
9 #include <vector>
10
11 #include "base/lazy_instance.h"
12 #include "base/numerics/safe_conversions.h"
13 #include "base/stl_util.h"
14 #include "base/strings/string_piece.h"
15 #include "base/strings/string_util.h"
16 #include "base/strings/utf_offset_string_conversions.h"
17 #include "base/strings/utf_string_conversions.h"
18 #include "base/threading/thread_local_storage.h"
19 #include "build/build_config.h"
20 #include "net/base/registry_controlled_domains/registry_controlled_domain.h"
21 #include "third_party/icu/source/common/unicode/uidna.h"
22 #include "third_party/icu/source/common/unicode/utypes.h"
23 #include "url/gurl.h"
24 #include "url/third_party/mozilla/url_parse.h"
25
26 namespace url_formatter {
27
28 namespace {
29
30 const char kWww[] = "www.";
31 constexpr size_t kWwwLength = 4;
32
33 IDNConversionResult IDNToUnicodeWithAdjustments(
34 base::StringPiece host,
35 base::OffsetAdjuster::Adjustments* adjustments);
36
37 // Result of converting a single IDN component (i.e. label) to unicode.
38 struct ComponentResult {
39 // Set to true if the component is converted to unicode.
40 bool converted = false;
41 // Set to true if the component is IDN, even if it's not converted to unicode.
42 bool has_idn_component = false;
43 // Result of the IDN spoof check.
44 IDNSpoofChecker::Result spoof_check_result = IDNSpoofChecker::Result::kNone;
45 };
46
47 ComponentResult IDNToUnicodeOneComponent(
48 const base::char16* comp,
49 size_t comp_len,
50 base::StringPiece top_level_domain,
51 base::StringPiece16 top_level_domain_unicode,
52 bool ignore_spoof_check_results,
53 base::string16* out);
54
55 class AppendComponentTransform {
56 public:
AppendComponentTransform()57 AppendComponentTransform() {}
~AppendComponentTransform()58 virtual ~AppendComponentTransform() {}
59
60 virtual base::string16 Execute(
61 const std::string& component_text,
62 base::OffsetAdjuster::Adjustments* adjustments) const = 0;
63
64 // NOTE: No DISALLOW_COPY_AND_ASSIGN here, since gcc < 4.3.0 requires an
65 // accessible copy constructor in order to call AppendFormattedComponent()
66 // with an inline temporary (see http://gcc.gnu.org/bugs/#cxx%5Frvalbind ).
67 };
68
69 class HostComponentTransform : public AppendComponentTransform {
70 public:
HostComponentTransform(bool trim_trivial_subdomains)71 explicit HostComponentTransform(bool trim_trivial_subdomains)
72 : trim_trivial_subdomains_(trim_trivial_subdomains) {}
73
74 private:
Execute(const std::string & component_text,base::OffsetAdjuster::Adjustments * adjustments) const75 base::string16 Execute(
76 const std::string& component_text,
77 base::OffsetAdjuster::Adjustments* adjustments) const override {
78 if (!trim_trivial_subdomains_)
79 return IDNToUnicodeWithAdjustments(component_text, adjustments).result;
80
81 std::string www_stripped_component_text = StripWWW(component_text);
82 // If StripWWW() did nothing, then "www." wasn't a prefix, or it otherwise
83 // didn't meet conditions for stripping "www." (such as intranet hostnames).
84 // In this case, no adjustments for trivial subdomains are needed.
85 if (www_stripped_component_text == component_text)
86 return IDNToUnicodeWithAdjustments(component_text, adjustments).result;
87 base::OffsetAdjuster::Adjustments trivial_subdomains_adjustments;
88 trivial_subdomains_adjustments.push_back(
89 base::OffsetAdjuster::Adjustment(0, kWwwLength, 0));
90 base::string16 unicode_result =
91 IDNToUnicodeWithAdjustments(www_stripped_component_text, adjustments)
92 .result;
93 base::OffsetAdjuster::MergeSequentialAdjustments(
94 trivial_subdomains_adjustments, adjustments);
95 return unicode_result;
96 }
97
98 bool trim_trivial_subdomains_;
99 };
100
101 class NonHostComponentTransform : public AppendComponentTransform {
102 public:
NonHostComponentTransform(net::UnescapeRule::Type unescape_rules)103 explicit NonHostComponentTransform(net::UnescapeRule::Type unescape_rules)
104 : unescape_rules_(unescape_rules) {}
105
106 private:
Execute(const std::string & component_text,base::OffsetAdjuster::Adjustments * adjustments) const107 base::string16 Execute(
108 const std::string& component_text,
109 base::OffsetAdjuster::Adjustments* adjustments) const override {
110 return (unescape_rules_ == net::UnescapeRule::NONE)
111 ? base::UTF8ToUTF16WithAdjustments(component_text, adjustments)
112 : net::UnescapeAndDecodeUTF8URLComponentWithAdjustments(
113 component_text, unescape_rules_, adjustments);
114 }
115
116 const net::UnescapeRule::Type unescape_rules_;
117 };
118
119 // Transforms the portion of |spec| covered by |original_component| according to
120 // |transform|. Appends the result to |output|. If |output_component| is
121 // non-NULL, its start and length are set to the transformed component's new
122 // start and length. If |adjustments| is non-NULL, appends adjustments (if
123 // any) that reflect the transformation the original component underwent to
124 // become the transformed value appended to |output|.
AppendFormattedComponent(const std::string & spec,const url::Component & original_component,const AppendComponentTransform & transform,base::string16 * output,url::Component * output_component,base::OffsetAdjuster::Adjustments * adjustments)125 void AppendFormattedComponent(const std::string& spec,
126 const url::Component& original_component,
127 const AppendComponentTransform& transform,
128 base::string16* output,
129 url::Component* output_component,
130 base::OffsetAdjuster::Adjustments* adjustments) {
131 DCHECK(output);
132 if (original_component.is_nonempty()) {
133 size_t original_component_begin =
134 static_cast<size_t>(original_component.begin);
135 size_t output_component_begin = output->length();
136 std::string component_str(spec, original_component_begin,
137 static_cast<size_t>(original_component.len));
138
139 // Transform |component_str| and modify |adjustments| appropriately.
140 base::OffsetAdjuster::Adjustments component_transform_adjustments;
141 output->append(
142 transform.Execute(component_str, &component_transform_adjustments));
143
144 // Shift all the adjustments made for this component so the offsets are
145 // valid for the original string and add them to |adjustments|.
146 for (auto comp_iter = component_transform_adjustments.begin();
147 comp_iter != component_transform_adjustments.end(); ++comp_iter)
148 comp_iter->original_offset += original_component_begin;
149 if (adjustments) {
150 adjustments->insert(adjustments->end(),
151 component_transform_adjustments.begin(),
152 component_transform_adjustments.end());
153 }
154
155 // Set positions of the parsed component.
156 if (output_component) {
157 output_component->begin = static_cast<int>(output_component_begin);
158 output_component->len =
159 static_cast<int>(output->length() - output_component_begin);
160 }
161 } else if (output_component) {
162 output_component->reset();
163 }
164 }
165
166 // If |component| is valid, its begin is incremented by |delta|.
AdjustComponent(int delta,url::Component * component)167 void AdjustComponent(int delta, url::Component* component) {
168 if (!component->is_valid())
169 return;
170
171 DCHECK(delta >= 0 || component->begin >= -delta);
172 component->begin += delta;
173 }
174
175 // Adjusts all the components of |parsed| by |delta|, except for the scheme.
AdjustAllComponentsButScheme(int delta,url::Parsed * parsed)176 void AdjustAllComponentsButScheme(int delta, url::Parsed* parsed) {
177 AdjustComponent(delta, &(parsed->username));
178 AdjustComponent(delta, &(parsed->password));
179 AdjustComponent(delta, &(parsed->host));
180 AdjustComponent(delta, &(parsed->port));
181 AdjustComponent(delta, &(parsed->path));
182 AdjustComponent(delta, &(parsed->query));
183 AdjustComponent(delta, &(parsed->ref));
184 }
185
186 // Helper for FormatUrlWithOffsets().
FormatViewSourceUrl(const GURL & url,FormatUrlTypes format_types,net::UnescapeRule::Type unescape_rules,url::Parsed * new_parsed,size_t * prefix_end,base::OffsetAdjuster::Adjustments * adjustments)187 base::string16 FormatViewSourceUrl(
188 const GURL& url,
189 FormatUrlTypes format_types,
190 net::UnescapeRule::Type unescape_rules,
191 url::Parsed* new_parsed,
192 size_t* prefix_end,
193 base::OffsetAdjuster::Adjustments* adjustments) {
194 DCHECK(new_parsed);
195 const char kViewSource[] = "view-source:";
196 const size_t kViewSourceLength = base::size(kViewSource) - 1;
197
198 // The URL embedded within view-source should never have destructive elisions
199 // applied to it. Users of view-source likely want to see the full URL.
200 format_types &= ~kFormatUrlOmitHTTPS;
201 format_types &= ~kFormatUrlOmitTrivialSubdomains;
202 format_types &= ~kFormatUrlTrimAfterHost;
203 format_types &= ~kFormatUrlOmitFileScheme;
204
205 // Format the underlying URL and record adjustments.
206 const std::string& url_str(url.possibly_invalid_spec());
207 adjustments->clear();
208 base::string16 result(
209 base::ASCIIToUTF16(kViewSource) +
210 FormatUrlWithAdjustments(GURL(url_str.substr(kViewSourceLength)),
211 format_types, unescape_rules, new_parsed,
212 prefix_end, adjustments));
213 // Revise |adjustments| by shifting to the offsets to prefix that the above
214 // call to FormatUrl didn't get to see.
215 for (auto it = adjustments->begin(); it != adjustments->end(); ++it)
216 it->original_offset += kViewSourceLength;
217
218 // Adjust positions of the parsed components.
219 if (new_parsed->scheme.is_nonempty()) {
220 // Assume "view-source:real-scheme" as a scheme.
221 new_parsed->scheme.len += kViewSourceLength;
222 } else {
223 new_parsed->scheme.begin = 0;
224 new_parsed->scheme.len = kViewSourceLength - 1;
225 }
226 AdjustAllComponentsButScheme(kViewSourceLength, new_parsed);
227
228 if (prefix_end)
229 *prefix_end += kViewSourceLength;
230
231 return result;
232 }
233
234 base::LazyInstance<IDNSpoofChecker>::Leaky g_idn_spoof_checker =
235 LAZY_INSTANCE_INITIALIZER;
236
237 // Computes the top level domain from |host|. top_level_domain_unicode will
238 // contain the unicode version of top_level_domain. top_level_domain_unicode can
239 // remain empty if the TLD is not well formed punycode.
GetTopLevelDomain(base::StringPiece host,base::StringPiece * top_level_domain,base::string16 * top_level_domain_unicode)240 void GetTopLevelDomain(base::StringPiece host,
241 base::StringPiece* top_level_domain,
242 base::string16* top_level_domain_unicode) {
243 size_t last_dot = host.rfind('.');
244 if (last_dot == base::StringPiece::npos)
245 return;
246
247 *top_level_domain = host.substr(last_dot + 1);
248 base::string16 tld16;
249 tld16.reserve(top_level_domain->length());
250 tld16.insert(tld16.end(), top_level_domain->begin(), top_level_domain->end());
251
252 // Convert the TLD to unicode, ignoring the spoof check results. This will
253 // always decode the input to unicode as long as it's valid punycode.
254 IDNToUnicodeOneComponent(
255 tld16.data(), tld16.size(), std::string(), base::string16(),
256 /*ignore_spoof_check_results=*/true, top_level_domain_unicode);
257 }
258
IDNToUnicodeWithAdjustmentsImpl(base::StringPiece host,base::OffsetAdjuster::Adjustments * adjustments,bool ignore_spoof_check_results)259 IDNConversionResult IDNToUnicodeWithAdjustmentsImpl(
260 base::StringPiece host,
261 base::OffsetAdjuster::Adjustments* adjustments,
262 bool ignore_spoof_check_results) {
263 if (adjustments)
264 adjustments->clear();
265 // Convert the ASCII input to a base::string16 for ICU.
266 base::string16 host16;
267 host16.reserve(host.length());
268 host16.insert(host16.end(), host.begin(), host.end());
269
270 // Compute the top level domain to be used in spoof checks later.
271 base::StringPiece top_level_domain;
272 base::string16 top_level_domain_unicode;
273 GetTopLevelDomain(host, &top_level_domain, &top_level_domain_unicode);
274
275 IDNConversionResult result;
276 // Do each component of the host separately, since we enforce script matching
277 // on a per-component basis.
278 base::string16 out16;
279 for (size_t component_start = 0, component_end;
280 component_start < host16.length(); component_start = component_end + 1) {
281 // Find the end of the component.
282 component_end = host16.find('.', component_start);
283 if (component_end == base::string16::npos)
284 component_end = host16.length(); // For getting the last component.
285 size_t component_length = component_end - component_start;
286 size_t new_component_start = out16.length();
287 ComponentResult component_result;
288 if (component_end > component_start) {
289 // Add the substring that we just found.
290 component_result = IDNToUnicodeOneComponent(
291 host16.data() + component_start, component_length, top_level_domain,
292 top_level_domain_unicode, ignore_spoof_check_results, &out16);
293 result.has_idn_component |= component_result.has_idn_component;
294 if (component_result.spoof_check_result !=
295 IDNSpoofChecker::Result::kNone &&
296 (result.spoof_check_result == IDNSpoofChecker::Result::kNone ||
297 result.spoof_check_result == IDNSpoofChecker::Result::kSafe)) {
298 result.spoof_check_result = component_result.spoof_check_result;
299 }
300 }
301 size_t new_component_length = out16.length() - new_component_start;
302
303 if (component_result.converted && adjustments) {
304 adjustments->push_back(base::OffsetAdjuster::Adjustment(
305 component_start, component_length, new_component_length));
306 }
307
308 // Need to add the dot we just found (if we found one).
309 if (component_end < host16.length())
310 out16.push_back('.');
311 }
312
313 result.result = out16;
314
315 // Leave as punycode any inputs that spoof top domains.
316 if (result.has_idn_component) {
317 result.matching_top_domain =
318 g_idn_spoof_checker.Get().GetSimilarTopDomain(out16);
319 if (!ignore_spoof_check_results &&
320 !result.matching_top_domain.domain.empty()) {
321 if (adjustments)
322 adjustments->clear();
323 result.result = host16;
324 }
325 }
326
327 return result;
328 }
329
330 // TODO(brettw): We may want to skip this step in the case of file URLs to
331 // allow unicode UNC hostnames regardless of encodings.
IDNToUnicodeWithAdjustments(base::StringPiece host,base::OffsetAdjuster::Adjustments * adjustments)332 IDNConversionResult IDNToUnicodeWithAdjustments(
333 base::StringPiece host,
334 base::OffsetAdjuster::Adjustments* adjustments) {
335 return IDNToUnicodeWithAdjustmentsImpl(host, adjustments,
336 /*ignore_spoof_check_results=*/false);
337 }
338
UnsafeIDNToUnicodeWithAdjustments(base::StringPiece host,base::OffsetAdjuster::Adjustments * adjustments)339 IDNConversionResult UnsafeIDNToUnicodeWithAdjustments(
340 base::StringPiece host,
341 base::OffsetAdjuster::Adjustments* adjustments) {
342 return IDNToUnicodeWithAdjustmentsImpl(host, adjustments,
343 /*ignore_spoof_check_results=*/true);
344 }
345
346 // Returns true if the given Unicode host component is safe to display to the
347 // user. Note that this function does not deal with pure ASCII domain labels at
348 // all even though it's possible to make up look-alike labels with ASCII
349 // characters alone.
SpoofCheckIDNComponent(base::StringPiece16 label,base::StringPiece top_level_domain,base::StringPiece16 top_level_domain_unicode)350 IDNSpoofChecker::Result SpoofCheckIDNComponent(
351 base::StringPiece16 label,
352 base::StringPiece top_level_domain,
353 base::StringPiece16 top_level_domain_unicode) {
354 return g_idn_spoof_checker.Get().SafeToDisplayAsUnicode(
355 label, top_level_domain, top_level_domain_unicode);
356 }
357
358 // A wrapper to use LazyInstance<>::Leaky with ICU's UIDNA, a C pointer to
359 // a UTS46/IDNA 2008 handling object opened with uidna_openUTS46().
360 //
361 // We use UTS46 with BiDiCheck to migrate from IDNA 2003 to IDNA 2008 with the
362 // backward compatibility in mind. What it does:
363 //
364 // 1. Use the up-to-date Unicode data.
365 // 2. Define a case folding/mapping with the up-to-date Unicode data as in
366 // IDNA 2003.
367 // 3. Use transitional mechanism for 4 deviation characters (sharp-s,
368 // final sigma, ZWJ and ZWNJ) for now.
369 // 4. Continue to allow symbols and punctuations.
370 // 5. Apply new BiDi check rules more permissive than the IDNA 2003 BiDI rules.
371 // 6. Do not apply STD3 rules
372 // 7. Do not allow unassigned code points.
373 //
374 // It also closely matches what IE 10 does except for the BiDi check (
375 // http://goo.gl/3XBhqw ).
376 // See http://http://unicode.org/reports/tr46/ and references therein/ for more
377 // details.
378 struct UIDNAWrapper {
UIDNAWrapperurl_formatter::__anon210b61690111::UIDNAWrapper379 UIDNAWrapper() {
380 UErrorCode err = U_ZERO_ERROR;
381 // TODO(jungshik): Change options as different parties (browsers,
382 // registrars, search engines) converge toward a consensus.
383 value = uidna_openUTS46(UIDNA_CHECK_BIDI, &err);
384 CHECK(U_SUCCESS(err)) << "failed to open UTS46 data with error: "
385 << u_errorName(err)
386 << ". If you see this error message in a test "
387 << "environment your test environment likely lacks "
388 << "the required data tables for libicu. See "
389 << "https://crbug.com/778929.";
390 }
391
392 UIDNA* value;
393 };
394
395 base::LazyInstance<UIDNAWrapper>::Leaky g_uidna = LAZY_INSTANCE_INITIALIZER;
396
397 // Converts one component (label) of a host (between dots) to Unicode if safe.
398 // If |ignore_spoof_check_results| is true and input is valid unicode, ignores
399 // spoof check results and always converts the input to unicode. The result will
400 // be APPENDED to the given output string and will be the same as the input if
401 // it is not IDN in ACE/punycode or the IDN is unsafe to display. Returns true
402 // if conversion was made. Sets |has_idn_component| to true if the input has
403 // IDN, regardless of whether it was converted to unicode or not.
IDNToUnicodeOneComponent(const base::char16 * comp,size_t comp_len,base::StringPiece top_level_domain,base::StringPiece16 top_level_domain_unicode,bool ignore_spoof_check_results,base::string16 * out)404 ComponentResult IDNToUnicodeOneComponent(
405 const base::char16* comp,
406 size_t comp_len,
407 base::StringPiece top_level_domain,
408 base::StringPiece16 top_level_domain_unicode,
409 bool ignore_spoof_check_results,
410 base::string16* out) {
411 DCHECK(out);
412 ComponentResult result;
413 if (comp_len == 0)
414 return result;
415
416 // Early return if the input cannot be an IDN component.
417 // Valid punycode must not end with a dash.
418 static const base::char16 kIdnPrefix[] = {'x', 'n', '-', '-'};
419 if (comp_len <= base::size(kIdnPrefix) ||
420 memcmp(comp, kIdnPrefix, sizeof(kIdnPrefix)) != 0 ||
421 comp[comp_len - 1] == '-') {
422 out->append(comp, comp_len);
423 return result;
424 }
425
426 UIDNA* uidna = g_uidna.Get().value;
427 DCHECK(uidna != nullptr);
428 size_t original_length = out->length();
429 int32_t output_length = 64;
430 UIDNAInfo info = UIDNA_INFO_INITIALIZER;
431 UErrorCode status;
432 do {
433 out->resize(original_length + output_length);
434 status = U_ZERO_ERROR;
435 // This returns the actual length required. If this is more than 64
436 // code units, |status| will be U_BUFFER_OVERFLOW_ERROR and we'll try
437 // the conversion again, but with a sufficiently large buffer.
438 output_length = uidna_labelToUnicode(
439 uidna, comp, static_cast<int32_t>(comp_len), &(*out)[original_length],
440 output_length, &info, &status);
441 } while ((status == U_BUFFER_OVERFLOW_ERROR && info.errors == 0));
442
443 if (U_SUCCESS(status) && info.errors == 0) {
444 result.has_idn_component = true;
445 // Converted successfully. At this point the length of the output string
446 // is original_length + output_length which may be shorter than the current
447 // length of |out|. Trim |out| and ensure that the converted component can
448 // be safely displayed to the user.
449 out->resize(original_length + output_length);
450 result.spoof_check_result = SpoofCheckIDNComponent(
451 base::StringPiece16(out->data() + original_length,
452 base::checked_cast<size_t>(output_length)),
453 top_level_domain, top_level_domain_unicode);
454 DCHECK_NE(IDNSpoofChecker::Result::kNone, result.spoof_check_result);
455 if (ignore_spoof_check_results ||
456 result.spoof_check_result == IDNSpoofChecker::Result::kSafe) {
457 result.converted = true;
458 return result;
459 }
460 }
461
462 // We get here with no IDN or on error, in which case we just revert to
463 // original string and append the literal input.
464 out->resize(original_length);
465 out->append(comp, comp_len);
466 return result;
467 }
468
469 } // namespace
470
471 const FormatUrlType kFormatUrlOmitNothing = 0;
472 const FormatUrlType kFormatUrlOmitUsernamePassword = 1 << 0;
473 const FormatUrlType kFormatUrlOmitHTTP = 1 << 1;
474 const FormatUrlType kFormatUrlOmitTrailingSlashOnBareHostname = 1 << 2;
475 const FormatUrlType kFormatUrlOmitHTTPS = 1 << 3;
476 const FormatUrlType kFormatUrlOmitTrivialSubdomains = 1 << 5;
477 const FormatUrlType kFormatUrlTrimAfterHost = 1 << 6;
478 const FormatUrlType kFormatUrlOmitFileScheme = 1 << 7;
479 const FormatUrlType kFormatUrlOmitMailToScheme = 1 << 8;
480
481 const FormatUrlType kFormatUrlOmitDefaults =
482 kFormatUrlOmitUsernamePassword | kFormatUrlOmitHTTP |
483 kFormatUrlOmitTrailingSlashOnBareHostname;
484
FormatUrl(const GURL & url,FormatUrlTypes format_types,net::UnescapeRule::Type unescape_rules,url::Parsed * new_parsed,size_t * prefix_end,size_t * offset_for_adjustment)485 base::string16 FormatUrl(const GURL& url,
486 FormatUrlTypes format_types,
487 net::UnescapeRule::Type unescape_rules,
488 url::Parsed* new_parsed,
489 size_t* prefix_end,
490 size_t* offset_for_adjustment) {
491 base::OffsetAdjuster::Adjustments adjustments;
492 base::string16 result = FormatUrlWithAdjustments(
493 url, format_types, unescape_rules, new_parsed, prefix_end, &adjustments);
494 if (offset_for_adjustment) {
495 base::OffsetAdjuster::AdjustOffset(adjustments, offset_for_adjustment,
496 result.length());
497 }
498 return result;
499 }
500
FormatUrlWithOffsets(const GURL & url,FormatUrlTypes format_types,net::UnescapeRule::Type unescape_rules,url::Parsed * new_parsed,size_t * prefix_end,std::vector<size_t> * offsets_for_adjustment)501 base::string16 FormatUrlWithOffsets(
502 const GURL& url,
503 FormatUrlTypes format_types,
504 net::UnescapeRule::Type unescape_rules,
505 url::Parsed* new_parsed,
506 size_t* prefix_end,
507 std::vector<size_t>* offsets_for_adjustment) {
508 base::OffsetAdjuster::Adjustments adjustments;
509 const base::string16& result = FormatUrlWithAdjustments(
510 url, format_types, unescape_rules, new_parsed, prefix_end, &adjustments);
511 base::OffsetAdjuster::AdjustOffsets(adjustments, offsets_for_adjustment,
512 result.length());
513 return result;
514 }
515
FormatUrlWithAdjustments(const GURL & url,FormatUrlTypes format_types,net::UnescapeRule::Type unescape_rules,url::Parsed * new_parsed,size_t * prefix_end,base::OffsetAdjuster::Adjustments * adjustments)516 base::string16 FormatUrlWithAdjustments(
517 const GURL& url,
518 FormatUrlTypes format_types,
519 net::UnescapeRule::Type unescape_rules,
520 url::Parsed* new_parsed,
521 size_t* prefix_end,
522 base::OffsetAdjuster::Adjustments* adjustments) {
523 DCHECK(adjustments);
524 adjustments->clear();
525 url::Parsed parsed_temp;
526 if (!new_parsed)
527 new_parsed = &parsed_temp;
528 else
529 *new_parsed = url::Parsed();
530
531 // Special handling for view-source:. Don't use content::kViewSourceScheme
532 // because this library shouldn't depend on chrome.
533 const char kViewSource[] = "view-source";
534 // Reject "view-source:view-source:..." to avoid deep recursion.
535 const char kViewSourceTwice[] = "view-source:view-source:";
536 if (url.SchemeIs(kViewSource) &&
537 !base::StartsWith(url.possibly_invalid_spec(), kViewSourceTwice,
538 base::CompareCase::INSENSITIVE_ASCII)) {
539 return FormatViewSourceUrl(url, format_types, unescape_rules,
540 new_parsed, prefix_end, adjustments);
541 }
542
543 // We handle both valid and invalid URLs (this will give us the spec
544 // regardless of validity).
545 const std::string& spec = url.possibly_invalid_spec();
546 const url::Parsed& parsed = url.parsed_for_possibly_invalid_spec();
547
548 // Scheme & separators. These are ASCII.
549 size_t scheme_size = static_cast<size_t>(parsed.CountCharactersBefore(
550 url::Parsed::USERNAME, true /* include_delimiter */));
551 base::string16 url_string;
552 url_string.insert(url_string.end(), spec.begin(), spec.begin() + scheme_size);
553 new_parsed->scheme = parsed.scheme;
554
555 // Username & password.
556 if (((format_types & kFormatUrlOmitUsernamePassword) != 0) ||
557 ((format_types & kFormatUrlTrimAfterHost) != 0)) {
558 // Remove the username and password fields. We don't want to display those
559 // to the user since they can be used for attacks,
560 // e.g. "http://google.com:search@evil.ru/"
561 new_parsed->username.reset();
562 new_parsed->password.reset();
563 // Update the adjustments based on removed username and/or password.
564 if (parsed.username.is_nonempty() || parsed.password.is_nonempty()) {
565 if (parsed.username.is_nonempty() && parsed.password.is_nonempty()) {
566 // The seeming off-by-two is to account for the ':' after the username
567 // and '@' after the password.
568 adjustments->push_back(base::OffsetAdjuster::Adjustment(
569 static_cast<size_t>(parsed.username.begin),
570 static_cast<size_t>(parsed.username.len + parsed.password.len + 2),
571 0));
572 } else {
573 const url::Component* nonempty_component =
574 parsed.username.is_nonempty() ? &parsed.username : &parsed.password;
575 // The seeming off-by-one is to account for the '@' after the
576 // username/password.
577 adjustments->push_back(base::OffsetAdjuster::Adjustment(
578 static_cast<size_t>(nonempty_component->begin),
579 static_cast<size_t>(nonempty_component->len + 1), 0));
580 }
581 }
582 } else {
583 AppendFormattedComponent(spec, parsed.username,
584 NonHostComponentTransform(unescape_rules),
585 &url_string, &new_parsed->username, adjustments);
586 if (parsed.password.is_valid())
587 url_string.push_back(':');
588 AppendFormattedComponent(spec, parsed.password,
589 NonHostComponentTransform(unescape_rules),
590 &url_string, &new_parsed->password, adjustments);
591 if (parsed.username.is_valid() || parsed.password.is_valid())
592 url_string.push_back('@');
593 }
594 if (prefix_end)
595 *prefix_end = static_cast<size_t>(url_string.length());
596
597 // Host.
598 bool trim_trivial_subdomains =
599 (format_types & kFormatUrlOmitTrivialSubdomains) != 0;
600 AppendFormattedComponent(spec, parsed.host,
601 HostComponentTransform(trim_trivial_subdomains),
602 &url_string, &new_parsed->host, adjustments);
603
604 // Port.
605 if (parsed.port.is_nonempty()) {
606 url_string.push_back(':');
607 new_parsed->port.begin = url_string.length();
608 url_string.insert(url_string.end(), spec.begin() + parsed.port.begin,
609 spec.begin() + parsed.port.end());
610 new_parsed->port.len = url_string.length() - new_parsed->port.begin;
611 } else {
612 new_parsed->port.reset();
613 }
614
615 // Path & query. Both get the same general unescape & convert treatment.
616 if ((format_types & kFormatUrlTrimAfterHost) && url.IsStandard() &&
617 !url.SchemeIsFile() && !url.SchemeIsFileSystem()) {
618 size_t trimmed_length = parsed.path.len;
619 // Remove query and the '?' delimeter.
620 if (parsed.query.is_valid())
621 trimmed_length += parsed.query.len + 1;
622
623 // Remove ref and the '#" delimiter.
624 if (parsed.ref.is_valid())
625 trimmed_length += parsed.ref.len + 1;
626
627 adjustments->push_back(
628 base::OffsetAdjuster::Adjustment(parsed.path.begin, trimmed_length, 0));
629
630 } else if ((format_types & kFormatUrlOmitTrailingSlashOnBareHostname) &&
631 CanStripTrailingSlash(url)) {
632 // Omit the path, which is a single trailing slash. There's no query or ref.
633 if (parsed.path.len > 0) {
634 adjustments->push_back(base::OffsetAdjuster::Adjustment(
635 parsed.path.begin, parsed.path.len, 0));
636 }
637 } else {
638 // Append the formatted path, query, and ref.
639 AppendFormattedComponent(spec, parsed.path,
640 NonHostComponentTransform(unescape_rules),
641 &url_string, &new_parsed->path, adjustments);
642
643 if (parsed.query.is_valid())
644 url_string.push_back('?');
645 AppendFormattedComponent(spec, parsed.query,
646 NonHostComponentTransform(unescape_rules),
647 &url_string, &new_parsed->query, adjustments);
648
649 if (parsed.ref.is_valid())
650 url_string.push_back('#');
651 AppendFormattedComponent(spec, parsed.ref,
652 NonHostComponentTransform(unescape_rules),
653 &url_string, &new_parsed->ref, adjustments);
654 }
655
656 // url_formatter::FixupURL() treats "ftp.foo.com" as ftp://ftp.foo.com. This
657 // means that if we trim the scheme off a URL whose host starts with "ftp."
658 // and the user inputs this into any field subject to fixup (which is
659 // basically all input fields), the meaning would be changed. (In fact, often
660 // the formatted URL is directly pre-filled into an input field.) For this
661 // reason we avoid stripping schemes in this case.
662 const char kFTP[] = "ftp.";
663 bool strip_scheme =
664 !base::StartsWith(url.host(), kFTP, base::CompareCase::SENSITIVE) &&
665 (((format_types & kFormatUrlOmitHTTP) &&
666 url.SchemeIs(url::kHttpScheme)) ||
667 ((format_types & kFormatUrlOmitHTTPS) &&
668 url.SchemeIs(url::kHttpsScheme)) ||
669 ((format_types & kFormatUrlOmitFileScheme) &&
670 url.SchemeIs(url::kFileScheme)) ||
671 ((format_types & kFormatUrlOmitMailToScheme) &&
672 url.SchemeIs(url::kMailToScheme)));
673
674 // If we need to strip out schemes do it after the fact.
675 if (strip_scheme) {
676 DCHECK(new_parsed->scheme.is_valid());
677 size_t scheme_and_separator_len =
678 url.SchemeIs(url::kMailToScheme)
679 ? new_parsed->scheme.len + 1 // +1 for :.
680 : new_parsed->scheme.len + 3; // +3 for ://.
681 #if defined(OS_WIN)
682 // Because there's an additional leading slash after the scheme for local
683 // files on Windows, we should remove it for URL display when eliding
684 // the scheme by offsetting by an additional character.
685 if (url.SchemeIs(url::kFileScheme) &&
686 base::StartsWith(url_string, base::ASCIIToUTF16("file:///"),
687 base::CompareCase::INSENSITIVE_ASCII)) {
688 ++new_parsed->path.begin;
689 ++scheme_size;
690 ++scheme_and_separator_len;
691 }
692 #endif
693
694 url_string.erase(0, scheme_size);
695 // Because offsets in the |adjustments| are already calculated with respect
696 // to the string with the http:// prefix in it, those offsets remain correct
697 // after stripping the prefix. The only thing necessary is to add an
698 // adjustment to reflect the stripped prefix.
699 adjustments->insert(adjustments->begin(),
700 base::OffsetAdjuster::Adjustment(0, scheme_size, 0));
701
702 if (prefix_end)
703 *prefix_end -= scheme_size;
704
705 // Adjust new_parsed.
706 new_parsed->scheme.reset();
707 AdjustAllComponentsButScheme(-scheme_and_separator_len, new_parsed);
708 }
709
710 return url_string;
711 }
712
CanStripTrailingSlash(const GURL & url)713 bool CanStripTrailingSlash(const GURL& url) {
714 // Omit the path only for standard, non-file URLs with nothing but "/" after
715 // the hostname.
716 return url.IsStandard() && !url.SchemeIsFile() && !url.SchemeIsFileSystem() &&
717 !url.has_query() && !url.has_ref() && url.path_piece() == "/";
718 }
719
AppendFormattedHost(const GURL & url,base::string16 * output)720 void AppendFormattedHost(const GURL& url, base::string16* output) {
721 AppendFormattedComponent(
722 url.possibly_invalid_spec(), url.parsed_for_possibly_invalid_spec().host,
723 HostComponentTransform(false), output, nullptr, nullptr);
724 }
725
UnsafeIDNToUnicodeWithDetails(base::StringPiece host)726 IDNConversionResult UnsafeIDNToUnicodeWithDetails(base::StringPiece host) {
727 return UnsafeIDNToUnicodeWithAdjustments(host, nullptr);
728 }
729
IDNToUnicode(base::StringPiece host)730 base::string16 IDNToUnicode(base::StringPiece host) {
731 return IDNToUnicodeWithAdjustments(host, nullptr).result;
732 }
733
StripWWW(const std::string & text)734 std::string StripWWW(const std::string& text) {
735 // Exclude the registry and domain from trivial subdomain stripping.
736 std::string domain_and_registry =
737 net::registry_controlled_domains::GetDomainAndRegistry(
738 text, net::registry_controlled_domains::INCLUDE_PRIVATE_REGISTRIES);
739 // If there is no domain and registry, we may be looking at an intranet
740 // or otherwise non-standard host. Leave those alone.
741 if (domain_and_registry.empty())
742 return text;
743 return text.size() - domain_and_registry.length() >= kWwwLength &&
744 base::StartsWith(text, kWww, base::CompareCase::SENSITIVE)
745 ? text.substr(kWwwLength)
746 : text;
747 }
748
StripWWWFromHostComponent(const std::string & url,url::Component * host)749 void StripWWWFromHostComponent(const std::string& url, url::Component* host) {
750 std::string host_str = url.substr(host->begin, host->len);
751 if (StripWWW(host_str) == host_str)
752 return;
753 host->begin += kWwwLength;
754 host->len -= kWwwLength;
755 }
756
GetSkeletons(const base::string16 & host)757 Skeletons GetSkeletons(const base::string16& host) {
758 return g_idn_spoof_checker.Get().GetSkeletons(host);
759 }
760
LookupSkeletonInTopDomains(const std::string & skeleton,const SkeletonType type)761 TopDomainEntry LookupSkeletonInTopDomains(const std::string& skeleton,
762 const SkeletonType type) {
763 return g_idn_spoof_checker.Get().LookupSkeletonInTopDomains(skeleton, type);
764 }
765
766 } // namespace url_formatter
767