Make AutocompleteInput::Parse() more strict: return QUERY for all inputs that

chrome/browser/autocomplete/autocomplete_input.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/autocomplete/autocomplete_input.h"
 
 #include "base/strings/string_util.h"
 #include "base/strings/utf_string_conversions.h"
 #include "chrome/browser/external_protocol/external_protocol_handler.h"
 #include "chrome/browser/profiles/profile_io_data.h"
@@ skipping 132 matching lines @@
   // use the URLFixerUpper here because we want to be smart about what we
   // consider a scheme.  For example, we shouldn't consider www.google.com:80
   // to have a scheme.
   url_parse::Parsed local_parts;
   if (!parts)
     parts = &local_parts;
   const base::string16 parsed_scheme(URLFixerUpper::SegmentURL(text, parts));
   if (scheme)
     *scheme = parsed_scheme;
 
-  // Try to fixup and canonicalize the user's typing.  We use this to help
-  // determine if it's safe to return "URL" as the type of anything that has an
-  // explicit, non-HTTP[S] scheme.  (HTTP[S] and "no scheme" inputs get more
-  // sophisticated heuristics below.)  If we can't canonicalize such inputs, we
-  // shouldn't mark them as "URL"s, because the rest of the autocomplete system
-  // isn't going to be able to produce navigable URL matches for them, which can
-  // lead to DCHECK failures later.
+  // If we can't canonicalize the user's input, the rest of the autocomplete
+  // system isn't going to be able to produce a navigable URL match for it.
+  // So we just return QUERY immediately in these cases.
   GURL placeholder_canonicalized_url;
   if (!canonicalized_url)
     canonicalized_url = &placeholder_canonicalized_url;
   *canonicalized_url = URLFixerUpper::FixupURL(base::UTF16ToUTF8(text),
                                                base::UTF16ToUTF8(desired_tld));
-  Type return_value_for_non_http_url =
-      canonicalized_url->is_valid() ? URL : QUERY;
+  if (!canonicalized_url->is_valid())
+    return QUERY;
 
   if (LowerCaseEqualsASCII(parsed_scheme, content::kFileScheme)) {
     // A user might or might not type a scheme when entering a file URL.  In
     // either case, |parsed_scheme| will tell us that this is a file URL, but
     // |parts->scheme| might be empty, e.g. if the user typed "C:\foo".
     return URL;
   }
 
   // If the user typed a scheme, and it's HTTP or HTTPS, we know how to parse it
   // well enough that we can fall through to the heuristics below.  If it's
   // something else, we can just determine our action based on what we do with
   // any input of this scheme.  In theory we could do better with some schemes
   // (e.g. "ftp" or "view-source") but I'll wait to spend the effort on that
   // until I run into some cases that really need it.
   if (parts->scheme.is_nonempty() &&
       !LowerCaseEqualsASCII(parsed_scheme, content::kHttpScheme) &&
       !LowerCaseEqualsASCII(parsed_scheme, content::kHttpsScheme)) {
     // See if we know how to handle the URL internally.  There are some schemes
     // that we convert to other things before they reach the renderer or else
     // the renderer handles internally without reaching the net::URLRequest
     // logic.  They thus won't be listed as "handled protocols", but we should
     // still claim to handle them.
     if (ProfileIOData::IsHandledProtocol(base::UTF16ToASCII(parsed_scheme)) ||
         LowerCaseEqualsASCII(parsed_scheme, content::kViewSourceScheme) ||
         LowerCaseEqualsASCII(parsed_scheme, content::kJavaScriptScheme) ||
         LowerCaseEqualsASCII(parsed_scheme, content::kDataScheme))
-      return return_value_for_non_http_url;
+      return URL;
 
     // Not an internal protocol.  Check and see if the user has explicitly
     // opened this scheme as a URL before, or if the "scheme" is actually a
     // username.  We need to do this after the check above because some
     // handlable schemes (e.g. "javascript") may be treated as "blocked" by the
     // external protocol handler because we don't want pages to open them, but
     // users still can.
     // Note that the protocol handler needs to be informed that omnibox input
     // should always be considered "user gesture-triggered", lest it always
     // return BLOCK.
     ExternalProtocolHandler::BlockState block_state =
         ExternalProtocolHandler::GetBlockState(
             base::UTF16ToUTF8(parsed_scheme), true);
     switch (block_state) {
       case ExternalProtocolHandler::DONT_BLOCK:
-        return return_value_for_non_http_url;
+        return URL;
 
       case ExternalProtocolHandler::BLOCK:
         // If we don't want the user to open the URL, don't let it be navigated
         // to at all.
         return QUERY;
 
       default: {
         // We don't know about this scheme.  It might be that the user typed a
         // URL of the form "username:password@foo.com".
         const base::string16 http_scheme_prefix =
@@ skipping 43 matching lines @@
         // "www.example.com:81" in this case.
         return UNKNOWN;
       }
     }
   }
 
   // Either the user didn't type a scheme, in which case we need to distinguish
   // between an HTTP URL and a query, or the scheme is HTTP or HTTPS, in which
   // case we should reject invalid formulations.
 
-  // If we have an empty host it can't be a URL.
+  // If we have an empty host it can't be a valid HTTP[S] URL.  (This should
+  // only trigger for input that begins with a colon, which GURL will parse as a
+  // valid, non-standard URL; for standard URLs, an empty host would have
+  // resulted in an invalid |canonicalized_url| above.)
   if (!parts->host.is_nonempty())
     return QUERY;
 
+  // Sanity-check: GURL should have failed to canonicalize this URL if it had an
+  // invalid port.
+  DCHECK_NE(url_parse::PORT_INVALID,
+            url_parse::ParsePort(text.c_str(), parts->port));
+
   // Likewise, the RCDS can reject certain obviously-invalid hosts.  (We also
   // use the registry length later below.)
   const base::string16 host(text.substr(parts->host.begin, parts->host.len));
   const size_t registry_length =
       net::registry_controlled_domains::GetRegistryLength(
           base::UTF16ToUTF8(host),
           net::registry_controlled_domains::EXCLUDE_UNKNOWN_REGISTRIES,
           net::registry_controlled_domains::EXCLUDE_PRIVATE_REGISTRIES);
   if (registry_length == std::string::npos) {
     // Try to append the desired_tld.
@@ skipping 41 matching lines @@
     // Thus we fall down in the following cases:
     // * Trying to navigate to a hostname with spaces
     // * Trying to navigate to a hostname with invalid characters and an unknown
     //   TLD
     // These are rare, though probably possible in intranets.
     return (parts->scheme.is_nonempty() ||
            ((registry_length != 0) &&
             (host.find(' ') == base::string16::npos))) ? UNKNOWN : QUERY;
   }
 
-  // A port number is a good indicator that this is a URL.  However, it might
-  // also be a query like "1.66:1" that looks kind of like an IP address and
-  // port number. So here we only check for "port numbers" that are illegal and
-  // thus mean this can't be navigated to (e.g. "1.2.3.4:garbage"), and we save
-  // handling legal port numbers until after the "IP address" determination
-  // below.
-  if (url_parse::ParsePort(text.c_str(), parts->port) ==
-      url_parse::PORT_INVALID)
-    return QUERY;
-
   // Now that we've ruled out all schemes other than http or https and done a
   // little more sanity checking, the presence of a scheme means this is likely
   // a URL.
   if (parts->scheme.is_nonempty())
     return URL;
 
   // See if the host is an IP address.
   if (host_info.family == url_canon::CanonHostInfo::IPV6)
     return URL;
   // If the user originally typed a host that looks like an IP address (a
@@ skipping 175 matching lines @@
   current_page_classification_ = AutocompleteInput::INVALID_SPEC;
   type_ = INVALID;
   parts_ = url_parse::Parsed();
   scheme_.clear();
   canonicalized_url_ = GURL();
   prevent_inline_autocomplete_ = false;
   prefer_keyword_ = false;
   allow_exact_keyword_match_ = false;
   matches_requested_ = ALL_MATCHES;
 }