| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Enable stricter SQLiteQueryBuilder options.
Malicious callers can leak side-channel information by using
subqueries in any untrusted inputs where SQLite allows "expr" values.
This change starts using setStrictColumns() and setStrictGrammar()
on SQLiteQueryBuilder to block this class of attacks. This means we
now need to define the projection mapping of valid columns, which
consists of both the columns defined in the public API and columns
read internally by DownloadInfo.Reader.
We're okay growing sAppReadableColumnsSet like this, since we're
relying on our trusted WHERE clause to filter away any rows that
don't belong to the calling UID.
Remove the legacy Lexer code, since we're now internally relying on
the robust and well-tested SQLiteTokenizer logic.
Bug: 135270103
Bug: 135269143
Test: atest DownloadProviderTests
Test: atest CtsAppTestCases:android.app.cts.DownloadManagerTest
Change-Id: I302091ceda3591785b2124575e89dad19bc97469
(cherry picked from commit d3e5c766a143853580dd6642a4a32c5d1a6f9fb1)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When accepting untrusted selections, they must be passed directly
to SQLiteQueryBuilder to ensure that setStrict() can be applied to
check for malicious callers sending unbalanced parentheses. This
means we can't mix local and remote selections; they always need to
be kept separate.
Use newly added SQLiteQueryBuilder functionality to apply strict
detection to update() and delete() calls.
Only allow the owner of a particular download to query the headers
for that download. Only delete headers for a download once we've
confirmed that caller can modify that download.
Test: atest packages/providers/DownloadProvider/tests/
Test: atest cts/tests/app/src/android/app/cts/DownloadManagerTest.java
Bug: 111085900
Change-Id: I9fd8e0d3cf80d7603bf0092f36fe449467090821
Merged-In: I9fd8e0d3cf80d7603bf0092f36fe449467090821
(cherry picked from commit 64b55ea82b1f394369237601ae1f1c78b776aabc)
|
| |
|
|
|
|
|
|
|
|
| |
It was never a supported API, and has been reported as causing
security issues, so remove it.
Bug: 111084083
Test: builds
Change-Id: I26345b192ffd55216bb8c8fdb82cb5869d68d3db
(cherry picked from commit ce9f204ac493f000cd3020e195fd5038d0cec1e2)
|
| |
|
|
|
|
|
|
|
| |
Close idle connections after 30s of inactivity to release RAM.
Savings: ~.2MB on marlin, ~0.1MB on low-ram devices
Bug: 63398887
Test: reboot and dumpsys meminfo android.process.media
Change-Id: If2505df7e654ab93cf64e6aeb7721c6f0a0134a5
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Instead of reaching directly into PackageManager, use the new
StorageManager API to allocate disk space for downloads. This wraps
both clearing cached files and fallocate() into a single method.
Remove support for storing downloads on the /cache partition, which
doesn't exist on many devices.
Bug: 63057877
Test: bit DownloadProviderTests:*
Exempt-From-Owner-Approval: Bug 63673347
Change-Id: I5749f7a2f7ded9157fea763dc652bf4da88d86ff
|
| |
|
|
|
|
|
|
|
|
|
|
| |
When an app downloads files to external storage, keep those downloads
around for the user to enjoy after the app is uninstalled.
We still end up deleting files stored in internal cache directories,
and under package-specific directories on external storage.
Test: builds, boots, downloads on external storage remain
Bug: 30868200
Change-Id: Ib70f42aa764a8252fe67c6fba9d60b3350f5d5a4
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
After uninstalling an app, if the system was shutdown before the
download provider received the broadcast for UID_REMOVED, another app
installed later in the same uid might be able to gain access to the
files downloaded by this app. Removing any such hanging downloads
at the start up of the download provider should fix this issue.
Test: Manually tested by uninstalling an app and killing and restarting
the process android.process.media, to check that the downloaded files of
the uninstalled app were deleted.
Bug:22011579
Change-Id: I7382c4846f99035b40412a01715aee5873efa9e6
|
| |
|
|
|
|
|
|
|
|
|
| |
Apps might end up confused if we tell them a download was completed
multiple times, so only send the broadcast exactly once when we
transition it into a "completed" state, either during an update() or
a delete() operation.
Test: verified single broadcast with test app
Bug: 31619480
Change-Id: I0b9139ea0e37f6d212b84314048692cd0c4f9cdf
|
| |\
| |
| |
| |
| |
| |
| |
| | |
manual_merge_010fc18
am: e2c5d91b95
Change-Id: I5d3b829662449cc6068501c0cdf0f6b7bc67a8e5
|
| | |\
| | |
| | |
| | |
| | |
| | | |
manual_merge_010fc18
Change-Id: I2fa7bbc82985a294564a072650f9e8472dae9694
|
| | | |\
| | | |
| | | |
| | | |
| | | |
| | | | |
manual_merge_40238b9
Change-Id: I0d8441c4bae392726e7d41c77b1d9ac5eda1c09c
|
| | | | |\
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
51033d49f6 am: 9bbd21ff0c am: 0bd9e49a06 am: 73721ade0d
am: 36b9c38a53
Change-Id: I53525f314f5ebc659e26c972c62517833ea03e19
|
| | | | | |\
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
51033d49f6
am: 9bbd21ff0c
Change-Id: I5f09670f0629addb5fa847799184716020234f35
|
| | | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
When opening a downloaded file, enforce that the caller can actually
see the requested download before clearing their identity to read
internal columns.
However, this means that we can no longer return the "my_downloads"
paths: if those Uris were shared beyond the app that requested the
download, access would be denied. Instead, we need to switch to
using "all_downloads" Uris so that permission grants can be issued
to third-party viewer apps.
Since an app requesting a download doesn't normally have permission
to "all_downloads" paths, we issue narrow grants toward the owner of
each download, both at device boot and when new downloads are
started.
Bug: 30537115, 30945409
Change-Id: If944aada020878a91c363963728d0da9f6fae3ea
|
| | |\ \ \ \ \
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
am: c0496a0b0b
Change-Id: I19d55af382ab6eb4ad080c402139eaf4df695ace
|
| | | |/ / / /
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
When a download is deleted, we may not have an active thread, so
always send the broadcast from the provider. If an active thread
encounters a deleted download, skip sending the broadcast twice.
Change-Id: If8d5b99a1b7232bb64c6d11f22fdb4f5d6dbbfec
Test: none
Bug: 30883889
(cherry picked from commit efb1ac6b49692e62fde6830c3d20953c8632d2ba)
|
| | |/ / / /
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Otherwise we end up leaving stale notifications around after the
underlying download was deleted.
Change-Id: Ie262a9dd369034de6c06be28b0eedc4231ea2e75
Test: none
Bug: 30697605
(cherry picked from commit 3b7e099588a2697305fd52c342f404a03ec9a9ab)
|
| |\| | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
6777320335 am: a474af3a08 am: 8bec536bf2 am: 34ccbd80ea am: 956426bee5 am: 6a6944d1f4 am: 8e8770bdc8 am: 85a6e20a85 am: 29c0025ae0
am: 9e119a0c29
Change-Id: Ic8495c5744b3acd16ae2d63be103279a2621411c
|
| | |\| | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
6777320335 am: a474af3a08 am: 8bec536bf2 am: 34ccbd80ea am: 956426bee5 am: 6a6944d1f4
am: 8e8770bdc8
Change-Id: I208036cd66780728f627cd11b2514eeb03c74800
|
| | | |\| |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
6777320335 am: a474af3a08 am: 8bec536bf2 am: 34ccbd80ea am: 956426bee5
am: 6a6944d1f4
Change-Id: Ib01cab89347d96c44478e51a27ef2cf17e1e7b2d
|
| | | | |\|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
6777320335 am: a474af3a08
am: 8bec536bf2
Change-Id: I81ea34a6f1cdaa438af6397651d7374628d44eff
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
This reverts commit 8be3a92eb0b4105a9ed748be5a937ce79145f565.
Change-Id: I10401d57239b868f8e3514f81a0e20486838e29c
|
| |\ \ \ \ \ |
|
| | | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
When a download is deleted, we may not have an active thread, so
always send the broadcast from the provider. If an active thread
encounters a deleted download, skip sending the broadcast twice.
Change-Id: If8d5b99a1b7232bb64c6d11f22fdb4f5d6dbbfec
Test: none
Bug: 30883889
|
| |/ / / / /
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Otherwise we end up leaving stale notifications around after the
underlying download was deleted.
Change-Id: Ie262a9dd369034de6c06be28b0eedc4231ea2e75
Test: none
Bug: 30697605
|
| |\| | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
b3ce7976f2 am: 860239d87e am: 616f47abce am: a9ea617232 am: 567e549614 am: 14ae5650e4 am: 80ab64c562 am: 77b7d90939
am: 7bd19160b1
Change-Id: I5f041155cf85feb81db55f2b23868754f270ac4d
|
| | |\| | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
b3ce7976f2 am: 860239d87e am: 616f47abce am: a9ea617232 am: 567e549614
am: 14ae5650e4
Change-Id: I3688aa1ad8e48901b321823f03636bbd55d76780
|
| | | |\| |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
b3ce7976f2 am: 860239d87e am: 616f47abce am: a9ea617232
am: 567e549614
Change-Id: I47ae3c7cfa1e3f6239d95697cf641c8d498a4e60
|
| | | | |\|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
b3ce7976f2
am: 860239d87e
Change-Id: Ic62206ad61c81da00eb57679211c140ce7053032
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
When opening a downloaded file, enforce that the caller can actually
see the requested download before clearing their identity to read
internal columns.
Bug: 30537115
Change-Id: I01bbad7997e5e908bfb19f5d576860a24f59f295
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
This avoids a race condition where someone can change a symlink
target after the security checks have passed.
Bug: 26211054
Change-Id: I5842aaecc7b7d417a3b1902957b59b8a1f3c1ccb
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
This avoids a race condition where someone can change a symlink
target after the security checks have passed.
Bug: 26211054
Change-Id: I40ed6d2298e4b66b4f7a055e68d9820515adf351
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
This avoids a race condition where someone can change a symlink
target after the security checks have passed.
Bug: 26211054
Change-Id: I5842aaecc7b7d417a3b1902957b59b8a1f3c1ccb
|
| | | |\ \ \
| | | | | |
| | | | | |
| | | | | | |
mnc-dr1.5-dev
|
| | | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
This avoids a race condition where someone can change a symlink
target after the security checks have passed.
Bug: 26211054
Change-Id: I03b06b746fde5d08d6b61a7011bdace0b4e9fa77
|
| |\| | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
am: 7dda783c24
Change-Id: I26c1c681d83ad21b2dc79586ab7768abf18dc577
|
| | | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
When deleting a file from DownloadManager, we also reach over and
clean up any scanned MediaStore entries. However, DownloadManager
clients may not hold the WRITE_EXTERNAL_STORAGE permission, such as
when they downloaded a file into their package-specific directories.
The safest fix for now is to clear the calling identity and always
clean up the MediaStore entries ourselves, since DownloadProvider
always holds the required storage permission.
Bug: 29777504
Change-Id: Iea8f5696410010807b118bb56e5b897c53f0e1fe
|
| |/ / / / /
| | | | |
| | | | |
| | | | |
| | | | | |
Bug: 26524617
Change-Id: Ide23c822b97ccab29a341184f14698dc942e8e14
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
The recent JobScheduler rewrite means we no longer spin up a service
when insterting an already-completed download. However, the calling
app may have requested the download to be scanned, so kick off a
scan request for them.
Bug: 28659693
Change-Id: I497e10995ba04f1522fe8d7e547ebea6e305f6e9
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
JobScheduler is in a much better position to coordinate tasks across
the platform to optimize battery and RAM usage. This change removes
a bunch of manual scheduling logic by representing each download as
a separate job with relevant scheduling constraints. Requested
network types, retry backoff timing, and newly added charging and
idle constraints are plumbed through as job parameters.
When a job times out, we halt the download and schedule it to resume
later. The majority of downloads should have ETag values to enable
resuming like this.
Remove local wakelocks, since the platform now acquires and blames
our jobs on the requesting app.
When an active download is pushing updates to the database, check for
both paused and cancelled state to quickly halt an ongoing download.
Shift DownloadNotifier to update directly based on a Cursor, since we
no longer have the overhead of fully-parsed DownloadInfo objects.
Unify a handful of worker threads into a single shared thread.
Remove legacy "large download" activity that was thrown in the face
of the user; the UX best-practice is to go through notification, and
update that dialog to let the user override and continue if under
the hard limit.
Bug: 28098882, 26571724
Change-Id: I33ebe59b3c2ea9c89ec526f70b1950c734abc4a7
|
| |/ / / /
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
This avoids a race condition where someone can change a symlink
target after the security checks have passed.
Bug: 26211054
Change-Id: I5e1a2343d631109c21a4c5b2d8d00b2946756680
|
| |/ / /
| | |
| | |
| | |
| | |
| | | |
This reverts commit 366af2ee1f841615d44ab770b537112d769eed05.
Change-Id: Id1155425ebcae23be8ce3916f19dda82eee992c4
|
| |/ /
| |
| |
| |
| |
| |
| |
| | |
This avoids a race condition where someone can change a symlink
target after the security checks have passed.
Bug: 26211054
Change-Id: I5842aaecc7b7d417a3b1902957b59b8a1f3c1ccb
|
| | |
| |
| |
| |
| | |
Bug: 22718722
Change-Id: I9c054956c3b3655332475607d6919dc34515e550
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Normally apps must hold the WRITE_EXTERNAL_STORAGE permission in
order to use DownloadManager. However, now that the platform has
relaxed permissions on package-specific directories, we relax the
DownloadManager check in a similar way. This also opens up using
DownloadManager to save files on secondary external storage devices.
Fix bug so that we now check the relevant volume state when thinking
about resuming a download.
Bug: 22135060
Change-Id: If439340ea48789ea167f49709b5b69a4f0883150
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The onCreate() method [where we initialize the handler] runs on the
main thread. This means the ParcelFileDescriptor also runs tasks
involving disk access on the main thread. We need to create a
separate thread to run the Content Provider's handler.
Bug: 19718299
Change-Id: Ia3661fafd3442ad6260f04253ba24ddf83b176b2
|
| |/
|
|
|
|
|
| |
Otherwise they're orphaned until the next idle maintenance pass.
Bug: 21786983
Change-Id: I6eb2240d657366b65482bd3a0d5683e5d34a541a
|
| |
|
|
|
| |
Bug: 16822344
Change-Id: Ib90e171cbb7babc7a3eea59de5cb899c79fadf94
|
| |
|
|
|
|
|
|
| |
Kicks off media scanner after files are written, usually through a
DocumentsProvider.
Bug: 13557203
Change-Id: I4e29b778b4e19a217f60c1e415c4d814724752d3
|
| |\
| |
| |
| |
| | |
* commit 'f04a7690b53288c98c07e0aa05214cceebea1331':
Avoid leaking cursors
|
