diff options
| author | Yohei Yukawa <yukawa@google.com> | 2018-09-06 10:47:15 -0700 |
|---|---|---|
| committer | Yohei Yukawa <yukawa@google.com> | 2018-09-06 10:47:15 -0700 |
| commit | 674cc4bedd506bf5700abfdc56842f8e051091c4 (patch) | |
| tree | 1bd7b93a661d014e5a1217a3d922d2ad2601599c /core/java | |
| parent | 029f67f85238ba2d4a2443c5659f30f21462d672 (diff) | |
Clarify that InputMethod.attachToken() can be called at most once
I don't know whether this comment was valid in the initial
implementation or not, in the current system InputMethod.attachToken()
is not (indirectly) exposed to the IME client process vir Binder
interface. The only Binder interface that is exposed from the IME
process to the IME client process is IInputMethodSession, not
IInputMethod that implements attachToken().
One may think that a malicious app could try to call
Context.bindService() with InputMethod.SERVICE_INTERFACE to directly
obtain IInputMethod, but it should fail because IMEs must be
protecting their InputMethodService with BIND_INPUT_METHOD so that
only the system can bind to them.
This CL clarifies this point in both JavaDoc and its implementation.
If an IME happened to receive multiple attachToken(), it is an OS bug
and worth letting people know by crashing the IME process.
Fix: 114164394
Test: atest CtsInputMethodTestCases CtsInputMethodServiceHostTestCases
Change-Id: Ia1e1d5ce020155b906e42a222f27b76905217395
Diffstat (limited to 'core/java')
| -rw-r--r-- | core/java/android/inputmethodservice/InputMethodService.java | 8 | ||||
| -rw-r--r-- | core/java/android/view/inputmethod/InputMethod.java | 8 |
2 files changed, 9 insertions, 7 deletions
diff --git a/core/java/android/inputmethodservice/InputMethodService.java b/core/java/android/inputmethodservice/InputMethodService.java index 9295bb7c021c..64c934b332f2 100644 --- a/core/java/android/inputmethodservice/InputMethodService.java +++ b/core/java/android/inputmethodservice/InputMethodService.java @@ -450,10 +450,12 @@ public class InputMethodService extends AbstractInputMethodService { @MainThread @Override public void attachToken(IBinder token) { - if (mToken == null) { - mToken = token; - mWindow.setToken(token); + if (mToken != null) { + throw new IllegalStateException( + "attachToken() must be called at most once. token=" + token); } + mToken = token; + mWindow.setToken(token); } /** diff --git a/core/java/android/view/inputmethod/InputMethod.java b/core/java/android/view/inputmethod/InputMethod.java index ab8886bb8479..ca14ebef392b 100644 --- a/core/java/android/view/inputmethod/InputMethod.java +++ b/core/java/android/view/inputmethod/InputMethod.java @@ -86,10 +86,10 @@ public interface InputMethod { * needed to identify itself with the service to validate its operations. * This token <strong>must not</strong> be passed to applications, since * it grants special priviledges that should not be given to applications. - * - * <p>Note: to protect yourself from malicious clients, you should only - * accept the first token given to you. Any after that may come from the - * client. + * + * <p>The system guarantees that this method is called back between + * {@link InputMethodService#onCreate()} and {@link InputMethodService#onDestroy()} + * at most once. */ @MainThread public void attachToken(IBinder token); |