From 6e222c3938db43fc00f3d6f8fbb138af075c689b Mon Sep 17 00:00:00 2001
From: Ian Clelland <iclelland@chromium.org>
Date: Tue, 26 Aug 2014 14:58:00 -0400
Subject: [PATCH] CB-7291: Restrict meaning of "*" in internal whitelist to
 just http and https

---
 framework/src/org/apache/cordova/ConfigXmlParser.java | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/framework/src/org/apache/cordova/ConfigXmlParser.java b/framework/src/org/apache/cordova/ConfigXmlParser.java
index 2a667a9a..1ada1af2 100644
--- a/framework/src/org/apache/cordova/ConfigXmlParser.java
+++ b/framework/src/org/apache/cordova/ConfigXmlParser.java
@@ -119,7 +119,15 @@ public class ConfigXmlParser {
                         if (external) {
                             externalWhitelist.addWhiteListEntry(origin, (subdomains != null) && (subdomains.compareToIgnoreCase("true") == 0));
                         } else {
-                            internalWhitelist.addWhiteListEntry(origin, (subdomains != null) && (subdomains.compareToIgnoreCase("true") == 0));
+                            if ("*".equals(origin)) {
+                                // Special-case * origin to mean http and https when used for internal
+                                // whitelist. This prevents external urls like sms: and geo: from being
+                                // handled internally.
+                                internalWhitelist.addWhiteListEntry("http://*/*", false);
+                                internalWhitelist.addWhiteListEntry("https://*/*", false);
+                            } else {
+                                internalWhitelist.addWhiteListEntry(origin, (subdomains != null) && (subdomains.compareToIgnoreCase("true") == 0));
+                            }
                         }
                     }
                 }