Prevent URLs with invalid schemes from resolving as relative to data: URLs.

There is a missing bit of logic when the scheme is invalid that is
present in the case where the scheme is empty.  Either way, we can't
consider this a relative URL if the base scheme isn't heirarchical.

BUG=346132

Review URL: https://codereview.chromium.org/177093008

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@254565 0039d316-1c4b-4281-b951-d872f2087c98

2 files changed, 5 insertions, 0 deletions

diff --git a/url/url_canon_relative.cc b/url/url_canon_relative.cc
index 33b814c..c210587 100644
--- a/url/url_canon_relative.cc
+++ b/url/url_canon_relative.cc
@@ -121,6 +121,10 @@ bool DoIsRelativeURL(const char* base,
   int scheme_end = scheme.end();
   for (int i = scheme.begin; i < scheme_end; i++) {
     if (!CanonicalSchemeChar(url[i])) {
+      if (!is_base_hierarchical) {
+        // Don't allow relative URLs if the base scheme doesn't support it.
+        return false;
+      }
       *relative_component = url_parse::MakeRange(begin, url_len);
       *is_relative = true;
       return true;
diff --git a/url/url_canon_unittest.cc b/url/url_canon_unittest.cc
index 2275429..9997afa 100644
--- a/url/url_canon_unittest.cc
+++ b/url/url_canon_unittest.cc
@@ -2072,6 +2072,7 @@ TEST(URLCanonTest, ResolveRelativeURL) {
     {"http://foo/bar", true, false, ":foo", true, true, true, "http://foo/:foo"},
     {"http://foo/bar", true, false, " hello world", true, true, true, "http://foo/hello%20world"},
     {"data:asdf", false, false, ":foo", false, false, false, NULL},
+    {"data:asdf", false, false, "bad(':foo')", false, false, false, NULL},
       // We should treat semicolons like any other character in URL resolving
     {"http://host/a", true, false, ";foo", true, true, true, "http://host/;foo"},
     {"http://host/a;", true, false, ";foo", true, true, true, "http://host/;foo"},