diff options
| author | Pinyao Ting <pinyaoting@google.com> | 2019-08-08 15:35:20 -0700 |
|---|---|---|
| committer | android-build-team Robot <android-build-team-robot@google.com> | 2019-09-20 02:56:15 +0000 |
| commit | ce472cd14f7262a0f5b3ffe656af05ed673c8e08 (patch) | |
| tree | 2410225948122fdfcd2a91608cfd2985373681a0 | |
| parent | 270884373ddd2c8440e43c98286b1bc013418547 (diff) | |
| download | android_frameworks_base-ce472cd14f7262a0f5b3ffe656af05ed673c8e08.tar.gz android_frameworks_base-ce472cd14f7262a0f5b3ffe656af05ed673c8e08.tar.bz2 android_frameworks_base-ce472cd14f7262a0f5b3ffe656af05ed673c8e08.zip | |
fixes a security vulnerability in slice provider
Bug: 138441555
Test: Manual
Change-Id: Ib1b4fba54ebd3599fe11021d21dc9b09d34e8965
Merged-In: Ib1b4fba54ebd3599fe11021d21dc9b09d34e8965
(cherry picked from commit 2b415a4c4465a6294e51ad1a8fcf2e6c1497853b)
(cherry picked from commit a6364d92edafd79006da671c5d476de77439e45c)
| -rw-r--r-- | core/java/android/app/slice/SliceProvider.java | 20 |
1 files changed, 14 insertions, 6 deletions
diff --git a/core/java/android/app/slice/SliceProvider.java b/core/java/android/app/slice/SliceProvider.java index 0ccd49f2e02..5e530eedd81 100644 --- a/core/java/android/app/slice/SliceProvider.java +++ b/core/java/android/app/slice/SliceProvider.java @@ -355,7 +355,8 @@ public abstract class SliceProvider extends ContentProvider { @Override public Bundle call(String method, String arg, Bundle extras) { if (method.equals(METHOD_SLICE)) { - Uri uri = getUriWithoutUserId(extras.getParcelable(EXTRA_BIND_URI)); + Uri uri = getUriWithoutUserId(validateIncomingUriOrNull( + extras.getParcelable(EXTRA_BIND_URI))); List<SliceSpec> supportedSpecs = extras.getParcelableArrayList(EXTRA_SUPPORTED_SPECS); String callingPackage = getCallingPackage(); @@ -369,7 +370,7 @@ public abstract class SliceProvider extends ContentProvider { } else if (method.equals(METHOD_MAP_INTENT)) { Intent intent = extras.getParcelable(EXTRA_INTENT); if (intent == null) return null; - Uri uri = onMapIntentToUri(intent); + Uri uri = validateIncomingUriOrNull(onMapIntentToUri(intent)); List<SliceSpec> supportedSpecs = extras.getParcelableArrayList(EXTRA_SUPPORTED_SPECS); Bundle b = new Bundle(); if (uri != null) { @@ -383,24 +384,27 @@ public abstract class SliceProvider extends ContentProvider { } else if (method.equals(METHOD_MAP_ONLY_INTENT)) { Intent intent = extras.getParcelable(EXTRA_INTENT); if (intent == null) return null; - Uri uri = onMapIntentToUri(intent); + Uri uri = validateIncomingUriOrNull(onMapIntentToUri(intent)); Bundle b = new Bundle(); b.putParcelable(EXTRA_SLICE, uri); return b; } else if (method.equals(METHOD_PIN)) { - Uri uri = getUriWithoutUserId(extras.getParcelable(EXTRA_BIND_URI)); + Uri uri = getUriWithoutUserId(validateIncomingUriOrNull( + extras.getParcelable(EXTRA_BIND_URI))); if (Binder.getCallingUid() != Process.SYSTEM_UID) { throw new SecurityException("Only the system can pin/unpin slices"); } handlePinSlice(uri); } else if (method.equals(METHOD_UNPIN)) { - Uri uri = getUriWithoutUserId(extras.getParcelable(EXTRA_BIND_URI)); + Uri uri = getUriWithoutUserId(validateIncomingUriOrNull( + extras.getParcelable(EXTRA_BIND_URI))); if (Binder.getCallingUid() != Process.SYSTEM_UID) { throw new SecurityException("Only the system can pin/unpin slices"); } handleUnpinSlice(uri); } else if (method.equals(METHOD_GET_DESCENDANTS)) { - Uri uri = getUriWithoutUserId(extras.getParcelable(EXTRA_BIND_URI)); + Uri uri = getUriWithoutUserId( + validateIncomingUriOrNull(extras.getParcelable(EXTRA_BIND_URI))); Bundle b = new Bundle(); b.putParcelableArrayList(EXTRA_SLICE_DESCENDANTS, new ArrayList<>(handleGetDescendants(uri))); @@ -416,6 +420,10 @@ public abstract class SliceProvider extends ContentProvider { return super.call(method, arg, extras); } + private Uri validateIncomingUriOrNull(Uri uri) { + return uri == null ? null : validateIncomingUri(uri); + } + private Collection<Uri> handleGetDescendants(Uri uri) { mCallback = "onGetSliceDescendants"; return onGetSliceDescendants(uri); |