diff options
| author | Svetoslav <svetoslavganov@google.com> | 2015-08-04 18:53:12 -0700 |
|---|---|---|
| committer | Svetoslav Ganov <svetoslavganov@google.com> | 2015-08-05 17:48:46 +0000 |
| commit | f94b8b8a31ed2eee8350728abadee567c44ea58c (patch) | |
| tree | 22c8e5e5939ff9799699762cce2d159c62ddf0cd /src/com/android/providers | |
| parent | 2c86de8ad3e8724d2c1d0325606188ecf69e3128 (diff) | |
| download | android_packages_providers_MediaProvider-f94b8b8a31ed2eee8350728abadee567c44ea58c.tar.gz android_packages_providers_MediaProvider-f94b8b8a31ed2eee8350728abadee567c44ea58c.tar.bz2 android_packages_providers_MediaProvider-f94b8b8a31ed2eee8350728abadee567c44ea58c.zip | |
Media provider clears binder id calling in other providers
The media provider can call into the downloads provider which
runs in the same process from an IPC. In this case the
permission and ap ops checks in the downloads provider will
be verified against the caller of the media provider instead
of against the media provider itself.
bug:22629557
Change-Id: I444a2db96353f50c60cd1d7bb20538ab7d463a1e
Diffstat (limited to 'src/com/android/providers')
| -rwxr-xr-x | src/com/android/providers/media/MediaProvider.java | 14 | ||||
| -rw-r--r-- | src/com/android/providers/media/MediaThumbRequest.java | 3 |
2 files changed, 15 insertions, 2 deletions
diff --git a/src/com/android/providers/media/MediaProvider.java b/src/com/android/providers/media/MediaProvider.java index 6c160763..0bbba768 100755 --- a/src/com/android/providers/media/MediaProvider.java +++ b/src/com/android/providers/media/MediaProvider.java @@ -3784,7 +3784,6 @@ public class MediaProvider extends ContentProvider { } } - private MediaThumbRequest requestMediaThumbnail(String path, Uri uri, int priority, long magic) { synchronized (mMediaThumbQueue) { MediaThumbRequest req = null; @@ -4992,6 +4991,8 @@ public class MediaProvider extends ContentProvider { private void writeAlbumArt( boolean need_to_recompress, Uri out, byte[] compressed, Bitmap bm) throws IOException { OutputStream outstream = null; + // Clear calling identity as we may be handling an IPC. + final long identity = Binder.clearCallingIdentity(); try { outstream = getContext().getContentResolver().openOutputStream(out); @@ -5005,6 +5006,7 @@ public class MediaProvider extends ContentProvider { } } } finally { + Binder.restoreCallingIdentity(identity); IoUtils.closeQuietly(outstream); } } @@ -5110,7 +5112,15 @@ public class MediaProvider extends ContentProvider { // Note that this only does something if getAlbumArtOutputUri() reused an // existing entry from the database. If a new entry was created, it will // have been rolled back as part of backing out the transaction. - getContext().getContentResolver().delete(out, null, null); + + // Clear calling identity as we may be handling an IPC. + final long identity = Binder.clearCallingIdentity(); + try { + getContext().getContentResolver().delete(out, null, null); + } finally { + Binder.restoreCallingIdentity(identity); + } + } } } diff --git a/src/com/android/providers/media/MediaThumbRequest.java b/src/com/android/providers/media/MediaThumbRequest.java index 34d54c88..3d7cc83f 100644 --- a/src/com/android/providers/media/MediaThumbRequest.java +++ b/src/com/android/providers/media/MediaThumbRequest.java @@ -147,6 +147,8 @@ class MediaThumbRequest { if (fileMagic == magic) { Cursor c = null; ParcelFileDescriptor pfd = null; + // Clear calling identity as we may be handling an IPC. + final long identity = Binder.clearCallingIdentity(); try { c = mCr.query(mThumbUri, THUMB_PROJECTION, mOrigColumnName + " = " + mOrigId, null, null); @@ -157,6 +159,7 @@ class MediaThumbRequest { } catch (IOException ex) { // MINI_THUMBNAIL not exists, ignore the exception and generate one. } finally { + Binder.restoreCallingIdentity(identity); if (c != null) c.close(); if (pfd != null) { pfd.close(); |