Prevent USSD codes via Click to Call

Click to Call allows users to send a phone number from their Chrome
desktop instance to their Android phone. This number either comes from a
user's selection and sent via the context menu, or by clicking on a link
with a "tel:" href.
Sending from the context menu is gated by a regular expression and will
not allow any special characters like '#' or '*' to be contained in the
phone number.
Sending link hrefs does not go through that check as we assume the link
is a valid phone number. We do call GURL::GetContent() to get the number
which should discard anything after a (and including the) '#' character.
However, we also URL-decoded the resulting string before then sending it
over to Android, where we URL-decoded it again when constructing the
Dialer intent. This allows sending double-URL-encoded USSD tel links
which will be sent straight to the Dialer on certain Android versions
and device states.

The fix here is on both desktop and Android side:
 - URL-decode the number and ignore if it contains '#', '*' or '%'.
 - Send the raw number (URL-encoded) to Android
 - Verify that URL-decoding the received raw number is valid as above
 - Show the decoded number in the notification
 - Parse the raw number in Java into a Uri object for the Dialer

Together this makes sure that we only URL-decode tel: links once and
verify it on both sender and receiver side before passing it on to the
Android Dialer.

Bug: 1180510
Test: updated unit_tests and browser_tests to check for conversion
Change-Id: Idf380b629cdf00155ecab054398af69f37ec2ef9
Reviewed-by: Robert Kaplow <>
Reviewed-by: David Jacobo <>
Reviewed-by: Gayane Petrosyan <>
Reviewed-by: Istiaque Ahmed <>
Reviewed-by: Peter Beverloo <>
Commit-Queue: Richard Knoll <>
Cr-Commit-Position: refs/heads/master@{#875572}
GitOrigin-RevId: e041be8dc8b5b9e3012e752c2636fcf1cd8b0b1d
diff --git a/metrics/histograms/histograms_xml/sharing/histograms.xml b/metrics/histograms/histograms_xml/sharing/histograms.xml
index 0491b0a..62a740a 100644
--- a/metrics/histograms/histograms_xml/sharing/histograms.xml
+++ b/metrics/histograms/histograms_xml/sharing/histograms.xml
@@ -79,6 +79,17 @@
+<histogram name="Sharing.ClickToCallPhoneNumberValid" units="BooleanValid"
+    expires_after="M95">
+  <owner></owner>
+  <owner></owner>
+  <summary>
+    Records if a received phone number is valid. Invalid numbers might suggest
+    that the remote device tried to send malicious data. Logged when handling a
+    Click to Call message on Android received from a Chrome desktop instance.
+  </summary>
 <histogram name="Sharing.ClickToCallSelectedAppIndex" units="index"
 <!-- Name completed by histogram_suffixes name="SharingClickToCallUi" -->