diff options
author | Steve Howard <showard@google.com> | 2010-07-22 11:33:48 -0700 |
---|---|---|
committer | Android Git Automerger <android-git-automerger@android.com> | 2010-07-22 11:33:48 -0700 |
commit | c2448d488ff4e476762d0a07bb0757ca99c05445 (patch) | |
tree | cac7d8d16da2267717a8ba0c0d7bfcad997894ad /src/com/android/providers/downloads/DownloadProvider.java | |
parent | 0bd0e0c9e4eec9d63b4e0f213e80fc9eee85fdf6 (diff) | |
parent | 0d8d89105c00edbad95a268aaae65f2ff94ed5a1 (diff) | |
download | android_packages_providers_DownloadProvider-c2448d488ff4e476762d0a07bb0757ca99c05445.tar.gz android_packages_providers_DownloadProvider-c2448d488ff4e476762d0a07bb0757ca99c05445.tar.bz2 android_packages_providers_DownloadProvider-c2448d488ff4e476762d0a07bb0757ca99c05445.zip |
am 0d8d8910: Make COLUMN_URI readable and tighten UID restrictions.
Merge commit '0d8d89105c00edbad95a268aaae65f2ff94ed5a1' into gingerbread-plus-aosp
* commit '0d8d89105c00edbad95a268aaae65f2ff94ed5a1':
Make COLUMN_URI readable and tighten UID restrictions.
Diffstat (limited to 'src/com/android/providers/downloads/DownloadProvider.java')
-rw-r--r-- | src/com/android/providers/downloads/DownloadProvider.java | 49 |
1 files changed, 15 insertions, 34 deletions
diff --git a/src/com/android/providers/downloads/DownloadProvider.java b/src/com/android/providers/downloads/DownloadProvider.java index bb205ad4..e543c443 100644 --- a/src/com/android/providers/downloads/DownloadProvider.java +++ b/src/com/android/providers/downloads/DownloadProvider.java @@ -96,6 +96,7 @@ public final class DownloadProvider extends ContentProvider { Downloads.Impl.COLUMN_CURRENT_BYTES, Downloads.Impl.COLUMN_TITLE, Downloads.Impl.COLUMN_DESCRIPTION, + Downloads.Impl.COLUMN_URI, }; private static HashSet<String> sAppReadableColumnsSet; @@ -481,40 +482,21 @@ public final class DownloadProvider extends ContentProvider { } if (shouldRestrictVisibility()) { - boolean canSeeAllExternal; if (projection == null) { projection = sAppReadableColumnsArray; - // sAppReadableColumnsArray includes _DATA, which is not allowed - // to be seen except by the initiating application - canSeeAllExternal = false; } else { - canSeeAllExternal = getContext().checkCallingPermission( - Downloads.Impl.PERMISSION_SEE_ALL_EXTERNAL) - == PackageManager.PERMISSION_GRANTED; for (int i = 0; i < projection.length; ++i) { if (!sAppReadableColumnsSet.contains(projection[i])) { throw new IllegalArgumentException( "column " + projection[i] + " is not allowed in queries"); } - canSeeAllExternal = canSeeAllExternal - && !projection[i].equals(Downloads.Impl._DATA); } } if (!emptyWhere) { qb.appendWhere(" AND "); emptyWhere = false; } - String validUid = "( " + Constants.UID + "=" - + Binder.getCallingUid() + " OR " - + Downloads.Impl.COLUMN_OTHER_UID + "=" - + Binder.getCallingUid() + " )"; - if (canSeeAllExternal) { - qb.appendWhere("( " + validUid + " OR " - + Downloads.Impl.DESTINATION_EXTERNAL + " = " - + Downloads.Impl.COLUMN_DESTINATION + " )"); - } else { - qb.appendWhere(validUid); - } + qb.appendWhere(getRestrictedUidClause()); } if (Constants.LOGVV) { @@ -637,7 +619,7 @@ public final class DownloadProvider extends ContentProvider { } /** - * @return true if we should restrict this call to viewing only its own downloads + * @return true if we should restrict this caller to viewing only its own downloads */ private boolean shouldRestrictVisibility() { int callingUid = Binder.getCallingUid(); @@ -648,6 +630,14 @@ public final class DownloadProvider extends ContentProvider { } /** + * @return a SQL WHERE clause to restrict the query to downloads accessible to the caller's UID + */ + private String getRestrictedUidClause() { + return "( " + Constants.UID + "=" + Binder.getCallingUid() + " OR " + + Downloads.Impl.COLUMN_OTHER_UID + "=" + Binder.getCallingUid() + " )"; + } + + /** * Updates a row in the database */ @Override @@ -707,12 +697,8 @@ public final class DownloadProvider extends ContentProvider { rowId = Long.parseLong(segment); myWhere += " ( " + Downloads.Impl._ID + " = " + rowId + " ) "; } - int callingUid = Binder.getCallingUid(); - if (Binder.getCallingPid() != Process.myPid() && - callingUid != mSystemUid && - callingUid != mDefContainerUid) { - myWhere += " AND ( " + Constants.UID + "=" + Binder.getCallingUid() + " OR " - + Downloads.Impl.COLUMN_OTHER_UID + "=" + Binder.getCallingUid() + " )"; + if (shouldRestrictVisibility()) { + myWhere += " AND " + getRestrictedUidClause(); } if (filteredValues.size() > 0) { count = db.update(DB_TABLE, filteredValues, myWhere, whereArgs); @@ -766,13 +752,8 @@ public final class DownloadProvider extends ContentProvider { long rowId = Long.parseLong(segment); myWhere += " ( " + Downloads.Impl._ID + " = " + rowId + " ) "; } - int callingUid = Binder.getCallingUid(); - if (Binder.getCallingPid() != Process.myPid() && - callingUid != mSystemUid && - callingUid != mDefContainerUid) { - myWhere += " AND ( " + Constants.UID + "=" + Binder.getCallingUid() + " OR " - + Downloads.Impl.COLUMN_OTHER_UID + "=" - + Binder.getCallingUid() + " )"; + if (shouldRestrictVisibility()) { + myWhere += " AND " + getRestrictedUidClause(); } deleteRequestHeaders(db, where, whereArgs); count = db.delete(DB_TABLE, myWhere, whereArgs); |