diff options
| author | Pinyao Ting <pinyaoting@google.com> | 2019-08-13 11:20:04 -0700 |
|---|---|---|
| committer | android-build-merger <android-build-merger@google.com> | 2019-08-13 11:20:04 -0700 |
| commit | ba45d8a844978f4de3529b36485441ee2003360b (patch) | |
| tree | 2e5b57377975832c7be1fdb89df547c05d1346fb /core/java/android | |
| parent | 1c3d8399ed07fd685667c05ece56f4696e14cadb (diff) | |
| parent | 69018b0325fbae69fcb839a8fc105c655a4a39a6 (diff) | |
Merge "fixes a security vulnerability in slice provider" into qt-qpr1-dev
am: 69018b0325
Change-Id: Ibd5810c49a728b297751891006da35f09c6975b1
Diffstat (limited to 'core/java/android')
| -rw-r--r-- | core/java/android/app/slice/SliceProvider.java | 20 |
1 files changed, 14 insertions, 6 deletions
diff --git a/core/java/android/app/slice/SliceProvider.java b/core/java/android/app/slice/SliceProvider.java index 0ccd49f2e028..5e530eedd818 100644 --- a/core/java/android/app/slice/SliceProvider.java +++ b/core/java/android/app/slice/SliceProvider.java @@ -355,7 +355,8 @@ public abstract class SliceProvider extends ContentProvider { @Override public Bundle call(String method, String arg, Bundle extras) { if (method.equals(METHOD_SLICE)) { - Uri uri = getUriWithoutUserId(extras.getParcelable(EXTRA_BIND_URI)); + Uri uri = getUriWithoutUserId(validateIncomingUriOrNull( + extras.getParcelable(EXTRA_BIND_URI))); List<SliceSpec> supportedSpecs = extras.getParcelableArrayList(EXTRA_SUPPORTED_SPECS); String callingPackage = getCallingPackage(); @@ -369,7 +370,7 @@ public abstract class SliceProvider extends ContentProvider { } else if (method.equals(METHOD_MAP_INTENT)) { Intent intent = extras.getParcelable(EXTRA_INTENT); if (intent == null) return null; - Uri uri = onMapIntentToUri(intent); + Uri uri = validateIncomingUriOrNull(onMapIntentToUri(intent)); List<SliceSpec> supportedSpecs = extras.getParcelableArrayList(EXTRA_SUPPORTED_SPECS); Bundle b = new Bundle(); if (uri != null) { @@ -383,24 +384,27 @@ public abstract class SliceProvider extends ContentProvider { } else if (method.equals(METHOD_MAP_ONLY_INTENT)) { Intent intent = extras.getParcelable(EXTRA_INTENT); if (intent == null) return null; - Uri uri = onMapIntentToUri(intent); + Uri uri = validateIncomingUriOrNull(onMapIntentToUri(intent)); Bundle b = new Bundle(); b.putParcelable(EXTRA_SLICE, uri); return b; } else if (method.equals(METHOD_PIN)) { - Uri uri = getUriWithoutUserId(extras.getParcelable(EXTRA_BIND_URI)); + Uri uri = getUriWithoutUserId(validateIncomingUriOrNull( + extras.getParcelable(EXTRA_BIND_URI))); if (Binder.getCallingUid() != Process.SYSTEM_UID) { throw new SecurityException("Only the system can pin/unpin slices"); } handlePinSlice(uri); } else if (method.equals(METHOD_UNPIN)) { - Uri uri = getUriWithoutUserId(extras.getParcelable(EXTRA_BIND_URI)); + Uri uri = getUriWithoutUserId(validateIncomingUriOrNull( + extras.getParcelable(EXTRA_BIND_URI))); if (Binder.getCallingUid() != Process.SYSTEM_UID) { throw new SecurityException("Only the system can pin/unpin slices"); } handleUnpinSlice(uri); } else if (method.equals(METHOD_GET_DESCENDANTS)) { - Uri uri = getUriWithoutUserId(extras.getParcelable(EXTRA_BIND_URI)); + Uri uri = getUriWithoutUserId( + validateIncomingUriOrNull(extras.getParcelable(EXTRA_BIND_URI))); Bundle b = new Bundle(); b.putParcelableArrayList(EXTRA_SLICE_DESCENDANTS, new ArrayList<>(handleGetDescendants(uri))); @@ -416,6 +420,10 @@ public abstract class SliceProvider extends ContentProvider { return super.call(method, arg, extras); } + private Uri validateIncomingUriOrNull(Uri uri) { + return uri == null ? null : validateIncomingUri(uri); + } + private Collection<Uri> handleGetDescendants(Uri uri) { mCallback = "onGetSliceDescendants"; return onGetSliceDescendants(uri); |