summaryrefslogtreecommitdiff
path: root/core/java/android/os/Parcel.java
Commit message (Collapse)AuthorAgeFilesLines
* BaseBundle: fix unparcel error logicSteven Moreland2025-07-081-7/+5
| | | | | | | | | | | This code considered a success case to be an unsuccessful case. Bug: 373357090 Test: repro in bug no longer works (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:1997a76a8846a5d5cd27472976885bed0180a59c) Merged-In: Id423936872cbb0e0265ccf2855092357cb175d47 Change-Id: Id423936872cbb0e0265ccf2855092357cb175d47
* Fix allowlist token issuesMatías Hernández2025-01-131-0/+22
| | | | | | | | | | | | | | 1) Don't accept enqueued notifications with an unexpected token. 2) Ensure allowlist token matches for all parceled and unparceled notifications (by only using the "root notification" one). 3) Simplify cookie usage in allowlist token serialization. 4) Ensure group summary (and any notifications added directly by NMS) have the correct token. Bug: 328254922 Bug: 305695605 Test: atest NotificationManagerServiceTest ParcelTest CloseSystemDialogsTest + manually (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:8a7453435b633282a9445ee01a902f090adc138c) Merged-In: I232e9b74eece745560ed2e762071b48984b3f176 Change-Id: I232e9b74eece745560ed2e762071b48984b3f176
* Update Parcel readLazyValue to ignore negative object lengthsHani Kazmi2022-10-081-0/+3
| | | | | | | | | | | | | | Addresses a security vulnerability where a (-8) length object would cause dataPosition to be reset back to the statt of the value, and be re-read again. Bug: 240138294 Test: atest ParcelTest BundleTest AmbiguousBundlesTest Test: manually ran PoC Change-Id: I1ab1df6f2a802d8cdf02c89c12959b09d7b1a5c4 Merged-In: I1ab1df6f2a802d8cdf02c89c12959b09d7b1a5c4 (cherry picked from commit 8e01230dd264d652c6f4c82d850da5afc4768bdc) Merged-In: I1ab1df6f2a802d8cdf02c89c12959b09d7b1a5c4
* Add javadoc note about bug in readParcelableCreatorInternalHani Kazmi2022-09-021-0/+53
| | | | | | | | | | follow up to b/232589966. Bug was fixed in master, but did not have time to merge into T. Adding a note to aid developers in using the old API if impacted. Test: m Bug: 240585930 Change-Id: Ibd80007b63ff8d2ad87e18c6c4d0ffedb5184ff5
* Parcel: recycle recyclesSteven Moreland2022-03-301-0/+1
| | | | | | | | | | | | | Before, it was like getting a used pan with food stuck on it. We run a clean ship here. You want a Parcel? You get a fresh Parcel. When we recycle a Parcel, we do a real clean-up job. Air freshener. All bits brushed over. These Parcel objects are clean as heck now! (specifically cleans mClassCookies) Bug: 208279300 Test: build Change-Id: I250872f5c6796bb64e2dc68008154c0e90feb218
* Merge "Fix Parcel.writeFixedArray javadoc" am: 3337082dec am: 13cd8e4f59 am: ↵Jooyung Han2022-03-291-1/+1
|\ | | | | | | | | | | | | | | | | bfcb72d582 Original change: https://android-review.googlesource.com/c/platform/frameworks/base/+/2045075 Change-Id: Id8339ca4e794b4816f4ba8d84f06fb579dbfcc01 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
| * Fix Parcel.writeFixedArray javadocJooyung Han2022-03-261-1/+1
| | | | | | | | | | | | | | | | | | | | Reference to createFixedArray shoudl be escaped. Otherwise resulting html renders as <s>(strikethrough) tag. Bug: 227007069 Test: m online-sdk-docs and see if ./reference/android/os/Parcel.html works ok Change-Id: I7a3b447cbeddd8d66ca1733dc8d115c61ece2509
* | Merge "Changing readParcelableList's API." am: 0b340743a6 am: 91117c2cfd am: ↵Hao Ke2022-02-281-2/+2
|\| | | | | | | | | | | | | | | 35ce6344cf Original change: https://android-review.googlesource.com/c/platform/frameworks/base/+/1998972 Change-Id: I3f49c826a50a8b28f20d4d8f9913b35f4fa0b4ae
| * Merge "Changing readParcelableList's API."Hao Ke2022-02-251-2/+2
| |\
| | * Changing readParcelableList's API.Hao Ke2022-02-241-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | Signature of readParcelableList() new API is inconsistent with rest, Changing it to allow using Child class as the required type. Bug: 221069460 Test: Build and boot. Change-Id: Ic01c9c8011977d75e3be73f55597dd1bfcd524da
* | | Merge "Update JavaDoc to replace deprecated Parcel read APIs." am: ↵Hao Ke2022-02-281-1/+14
|\| | | | | | | | | | | | | | | | | | | | | | | 06ee57cda1 am: d1fdbdff31 am: d38ca191d5 Original change: https://android-review.googlesource.com/c/platform/frameworks/base/+/1977155 Change-Id: I7572a1f8842f45ec3b748b8dda3bba0d19626077
| * | Merge "Update JavaDoc to replace deprecated Parcel read APIs."Hao Ke2022-02-251-1/+14
| |\ \ | | |/ | |/|
| | * Update JavaDoc to replace deprecated Parcel read APIs.Hao Ke2022-02-241-1/+14
| | | | | | | | | | | | | | | | | | Bug: 195622897 Change-Id: I5f6444dcc87ad76bf6f6312eea68891aa07604cb Test: None
* | | Merge "Add safer Bundle APIs and deprecated old ones" am: c5589d2c92 am: ↵Bernardo Rufino2022-02-221-71/+134
|\| | | | | | | | | | | | | | | | | | | | | | | ce09bba3fc am: aed366dc04 Original change: https://android-review.googlesource.com/c/platform/frameworks/base/+/1988908 Change-Id: I684471f938a4400fae3309ad2c9759d808075aea
| * | Add safer Bundle APIs and deprecated old onesBernardo Rufino2022-02-191-71/+134
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Add safer Bundle APIs that take an extra Class<T> argument that checks that the type about to be deserialized is a child of the type passed in parameter *before* actually deserializing it, while also deprecating old APIs. This allows use to reap the benefits of the new typed Parcel APIs and enhances security. Only the APIs that could involve custom object injection are modified. So, besides the obvious ones that have that design (eg. readParcelableList()), subtler cases such as readIntegerArrayList() could result in custom object deserialization, and since it's all generics, even the casting inside Bundle wouldn't fail, only after the client unpacked the list items would it blow up. Now those are checked beforehand. Since Bundle always calls Parcel.readValue() under the hood (instead of specialized APIs such as readParcelable() etc), we had to augment that method (that's used by LazyValue when retrieving the item) to accept item types now for containers, which I implemented as a vararg of Class<?> parameters (this is all private/@hide). This way we could retrieve a list of intents like readValue(.., List.class, Intent.class), or a map of string to intents like readValue(.., Map.class, String.class, Intent.class). For non-container items, we can just pass no arguments for the vararg. This is explained in internal javadocs. Inside readValue() now, we also check the container types before calling the internal methods for deserialization. So, if the thing on the wire is a VAL_MAP and we know the method we're about to call will return a HashMap, we verify that the type passed in parameter is a super type of that (if it's non-null, if it's null it means "perform no check"). Now, LazyValue became a BiFunction<Class<?>, Class<?>[], Object> to receive those extra "item types" for containers. The reason for separating the first from the rest is that the first defines the return type in the new APIs and inside Parcel, so we need the T from Class<T> to ensure type-safety. (I was torn here between using BiFunction or just exposing LazyValue as @hide for Bundle since it feels like we're missing meaning/abstraction, but end up leaving this way, advise if you'd prefer the other way) There was a bit of a refactor in Parcel so readValue() could call internal methods that accepted nullable Class<?> parameters with the meaning that null = "no verification" and non-null = "check against type provided" (because the external APIs all require non-null parameters). Now we can return null in all cases when there is a type mismatch. Note that the Bundle APIs catch ClassCastException to return null, but that only works for non-generic types (eg. getSizeF()). For generic types wrapping "return (T) o" with try-catch doesn't work because the type gets erased to its bound at runtime, so the type mismatch escapes that try-catch to the caller, potentially causing a crash. Now they happen inside the getters, as the non-generic ones. Test: Boots for now Test: Working on CTS Test: atest -d android.os.cts.ParcelTest android.os.cts.BundleTest android.os.BundleTest android.os.ParcelTest CTS-Coverage-Bug: 219980813 Change-Id: Ifcbeb34b4684d7de105756b9d414162a9205ffaa
| * | Add @hide Bundle.getParcelable() with explicit typeBernardo Rufino2022-02-161-11/+12
| |/ | | | | | | | | | | | | | | | | | | | | | | | | Provider a type-safer API getParcelable() that takes a Class<?> parameter. Test: Manual (tested downstream) Bug: 213169612 Bug: 212804042 Bug: 212803946 Bug: 210885162 Merged-In: Ieebc044043e0776e71d35c1cc11be9299f972c45 Change-Id: I76f9558bfa1525877bec15cfc43abdc43cba0f24
* | Safer @hide Bundle.getParcelable() with explicit typeBernardo Rufino2022-02-091-11/+12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Provider a safer API getParcelable() that takes a Class<?> parameter just like the safer Parcel APIs introduced, so we check the type before deserializing, preventing unexpected and potentially vulnerable code being executed (technique used in the bugs). Making it @hide since ASA requested this in T (more details on bugs) and the urgent usage is inside the platform, we can flesh out a public API for U. Test: App code gpaste/6130483466338304 logs gpaste/5148052949041152 Bug: 213169612 Bug: 212804042 Bug: 212803946 Bug: 210885162 Change-Id: Ieebc044043e0776e71d35c1cc11be9299f972c45
* | Merge "Support "Parcel.propagateAllowBlocking" for AIDL" am: bcefef7a8c am: ↵Treehugger Robot2022-02-021-1/+66
|\| | | | | | | | | | | | | | | 7d4245bc61 am: 4dbefbccd5 am: f1bc977e8d Original change: https://android-review.googlesource.com/c/platform/frameworks/base/+/1964223 Change-Id: Ie91a206e927a8c857cc3eb556b95bae5d49e89b3
| * Merge "Support "Parcel.propagateAllowBlocking" for AIDL"Treehugger Robot2022-02-021-1/+66
| |\
| | * Support "Parcel.propagateAllowBlocking" for AIDLMakoto Onuki2022-02-011-1/+66
| | | | | | | | | | | | | | | | | | Bug: 216685683 Test: atest android.os.cts.ParcelTest Change-Id: I9299632c8c4fd88afc6b539270c097b9c00188b3
* | | Merge "Add Parcel APIs for fixed-size array" am: aa16747474 am: 14b9e5e7da ↵Jooyung Han2022-02-021-0/+407
|\| | | | | | | | | | | | | | | | | | | | | | | am: 3b606f3c91 am: 78eabfbcaf Original change: https://android-review.googlesource.com/c/platform/frameworks/base/+/1958141 Change-Id: I908bd99259ef6d47af0f0c1ca66fbe68703e4da9
| * | Merge "Add Parcel APIs for fixed-size array"Jooyung Han2022-02-021-0/+407
| |\ \
| | * | Add Parcel APIs for fixed-size arrayJooyung Han2022-01-261-0/+407
| | |/ | | | | | | | | | | | | | | | | | | | | | | | | | | | * createFixedArray() * readFixedArray() * writeFixedArray() Bug: 207087196 Test: android.os.cts.ParcelTest Change-Id: Ie1b742dccba26b9c473d46f8d6b9edfda3ee5eeb
* | | Merge "Revert "Changing readParcelable and readSerializable's method ↵Treehugger Robot2022-01-271-10/+7
|\| | | | | | | | | | | | | | | | | | | | | | | signatures."" am: de1df073cb am: c75c2e1818 am: 50f0139d43 am: 41285faf9a Original change: https://android-review.googlesource.com/c/platform/frameworks/base/+/1960781 Change-Id: I158b6db9798b98c6b668d42b19c9a136b138e038
| * | Revert "Changing readParcelable and readSerializable's method signatures."Adrian Roos2022-01-261-10/+7
| |/ | | | | | | | | | | | | | | | | This reverts commit 9c4045f7c9c265a3a7026d381ff7f502b810256c. Reason for revert: API council feedback Bug: 210800751 Change-Id: I2ebcc0a94aad393e75a6aaf2addc333eb7fa437f
* | Merge "Changing readParcelable and readSerializable's method signatures." ↵Hao Ke2022-01-211-7/+10
|\| | | | | | | | | | | | | | | am: d5b3a5c4a9 am: 6c1f3fbcd2 am: 1ff8962b79 am: 70398d2001 Original change: https://android-review.googlesource.com/c/platform/frameworks/base/+/1953436 Change-Id: Iaef6f3bd68561b879bf0d1600b7296b5c39b225a
| * Changing readParcelable and readSerializable's method signatures.Hao Ke2022-01-191-7/+10
| | | | | | | | | | | | Bug: 210800751 Test: atest -d android.os.cts.ParcelTest Change-Id: Ie0a1deafc6e876ea01bfa5cee221ef81fecdfe59
* | Merge "Add @SystemApi annotation to parcel.writeBlob and readBlob."Terry Wang2021-12-141-8/+15
|\ \ | |/ |/|
| * Add @SystemApi annotation to parcel.writeBlob and readBlob.Terry Wang2021-12-021-8/+15
| | | | | | | | | | | | | | | | | | | | | | AppSearch will put text-based document via binder to server side. Parcel.writeBlob could take care of decide where to put in Android Shared Memory if data is too large. Remove {@SystemApi} to make it available for AppSearch. Bug: 185441119 Test: presubmit Change-Id: I95218fdca2baa5b4a287f05c9d79273b4a6e622c
* | Don't require T to extend Parcelable or Serializable in ParcelHao Ke2021-12-091-13/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This is because we want to support the use-case where the caller enforces a specific class type that doesn't implement Parcelable or Serializable but the child classes written on the payload implement them. One such use-case that needs this before migrating is https://cs.android.com/android/platform/superproject/+/master:frameworks/base/core/java/com/android/internal/infra/AndroidFuture.java;l=596;drc=2d6a545e3042d7cc91b54746e774681a05e0ff22: we need to enforce Throwable class but it doesn't implement Parcelable itself, while its children written on the wire are expected to. Test: atest -d android.os.cts.ParcelTest Bug: 195622897 Change-Id: I150416d0cfb0b87ddbaff1041d8d60aa205f6f39
* | Merge "Deprecate unsafe Parcel.readParcelableArray(ClassLoader)"Bernardo Rufino2021-12-091-1/+8
|\ \
| * | Deprecate unsafe Parcel.readParcelableArray(ClassLoader)Bernardo Rufino2021-12-061-1/+8
| |/ | | | | | | | | | | | | | | Forgot this one. Test: Builds Bug: 195622897 Change-Id: Ia258f77fd2e706d2071c853c20d6ec3baa170a1f
* | Merge "Set default ClassLoader for Parcel readSerializable API."Hao Ke2021-12-061-4/+10
|\ \
| * | Set default ClassLoader for Parcel readSerializable API.Hao Ke2021-12-061-4/+10
| |/ | | | | | | | | | | | | | | | | | | | | | | | | Set the default ClassLoader for the readSerializable(ClassLoader, Class) API, when the ClassLoader parameter is null. Doing so could enhance the security of Parcel deserialization, as it would prevent resolving the Serializable class using unexpected ClassLoaders. Test: atest -d android.os.cts.ParcelTest Bug: 195622897 Change-Id: I6da4b4f817c33e4464d90d1e9775b54793835c92
* | Merge "Added End-of-Parcel check API."Hao Ke2021-12-031-0/+13
|\ \
| * | Added End-of-Parcel check API.Hao Ke2021-12-021-0/+13
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Added End-of-Parcel check API, that verifies there are no bytes left to be read on the Parcel. Test: atest -d android.os.cts.ParcelTest#testEnforceNoDataAvail Bug: 195622897 Bug: 204990745 Change-Id: I3068568d8d4371b071aecd357adeb45a2d7103e4
* | | Deprecate unsafe readParcelableList API.Hao Ke2021-12-021-0/+7
|/ / | | | | | | | | | | | | | | | | | | | | | | Deprecate unsafe parcel APIs and point to the safer ones that take the expected type as parameter. Also mentioned the typed ones that take the creator as argument since those are also more performant. Test: Builds Bug: 195622897 Bug: 199275680 Bug: 205985058 Change-Id: I77a1a925d8759fd122936780587e3488705d4c56
* / Adding typed Parcel readParcelableList API.Hao Ke2021-11-291-9/+34
|/ | | | | | | | | | | | | | Added typed Parcel readParcelableList API that takes extra clazz parameters check that the class written on the wire is the same, or a descendant from the one provided as the key and value arguments. Doing so could enhance the security of Parcel deserialization, as it would prevent unexpected types of objects being deserialized. More details can be found at go/safer-parcel. Test: atest -d android.os.cts.ParcelTest Bug: 195622897 Change-Id: Ibdb90fa622ef6eaa0bd2b9de629f51fc4fa7091a
* Deprecate unsafe parcel APIsBernardo Rufino2021-11-121-2/+53
| | | | | | | | | | | | | | | | | | | | | | | Deprecate unsafe parcel APIs and point to the safer ones that take the expected type as parameter. Where applicable also mention the typed ones that take the creator as argument since those are also more performant. APIs deprecated here are: * readMap(Map, ClassLoader) * readList(List, ClassLoader) * readHashMap(ClassLoader) * readArrayList(ClassLoader) * readArray(ClassLoader) * readSparseArray(ClassLoader) * readParcelable(ClassLoader) * readParcelableCreator(ClassLoader) * readSerializable() Test: Builds Bug: 195622897 Bug: 199275680 Bug: 205985058 Change-Id: Ic41ae13e0d965b1fd346985c77c1eecc605285b2
* Merge "Adding typed Parcel readMap and readHashMap APIs."Hao Ke2021-11-101-11/+59
|\
| * Adding typed Parcel readMap and readHashMap APIs.Hao Ke2021-11-101-11/+59
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Added typed read API of `readMap` and `readHashMap`, that takes extra clazz parameters check that the class written on the wire is the same or a descendant from the one provided as the key and value arguments. Doing so could enhance the security of Parcel deserialization, as it would prevent unexpected types of objects being deserialized. More details can be found at go/safer-parcel. Test: atest -d android.os.cts.ParcelTest Bug: 195622897 Change-Id: Ife9d1d7277b6345a6e11856179c301339b2dc087
* | Parcel: add new methods for interface list/arrayJooyung Han2021-11-091-1/+145
|/ | | | | | | | | | | | | | | | | | | | New methods are to write a list/array of interface objects and to read them again. Basically these methods are quite similar to those for IBinder objects. But when reading IInterface objects, we need to create an array of the exact type and need a way of converting IBinder into IInterface value. Two functional interfaces (newArray and asInterface) are just like while Parcelable.Creator does. We could pass "Stub" class which is generated by the AIDL compiler and use reflection to create a typed array instance and call `asInterface` method. But rather than relying on reflection, passing `IMyInterface[]::new` and `IMyInterface.Stub::asInterface` would be simple enough to use. Bug: 205195901 Test: atest -d android.os.cts.ParcelTest Change-Id: I275db9ebf52d3b9713fa105d81da3a1d289d96a8
* Merge "Improve @hide Parcel.hasFileDescriptors(Object)"Bernardo Rufino2021-11-051-33/+46
|\
| * Improve @hide Parcel.hasFileDescriptors(Object)Bernardo Rufino2021-11-021-33/+46
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Addressing Jeff's comment on aosp/1787847 to support List<> in Parcel.hasFileDescriptor(), also added support for Map (+ArrayMap) and Object[] that were missing. Made the checks recursive since it's possible to put nested containers in bundle. Since that's @hide and only used by bundle, included Parcel as a supported type too and clarified in the javadoc. That allowed to clean up Bundle.hasFileDescriptors(). Bug: 195622897 Test: atest -d android.os.cts.ParcelTest android.os.cts.BundleTest android.os.BundleTest android.os.ParcelTest Change-Id: I6acf358763d8f544fc6ff1a5b0c8bdff567d50be
* | Merge "Adding typed Parcel read APIs for Serializable."Hao Ke2021-11-021-19/+64
|\ \ | |/ |/|
| * Adding typed Parcel read APIs for Serializable.Hao Ke2021-10-291-20/+64
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Added typed read API of `readSerializable`, that takes an extra Class<T> parameter to check that the class written on the wire is the same or a descendant from the one provided as argument. Doing so could enhance the security of Parcel deserialization, as it would prevent unexpected types of objects being deserialized. More details can be found at go/safer-parcel. Test: atest -d android.os.cts.ParcelTest Bug: 195622897 Change-Id: I94e48ac7fe8f5d3ba4c54100cb76ce3e4aacdd09
* | Merge "Add range-based Parcel.compareData()"Bernardo Rufino2021-11-011-14/+9
|\ \
| * | Add range-based Parcel.compareData()Bernardo Rufino2021-10-281-14/+9
| | | | | | | | | | | | | | | | | | | | | | | | | | | To be used by lazy value. Now, we also remove getValueParcel() that was copying the section of the parcel since we don't need that anymore. Test: atest -d android.os.cts.ParcelTest android.os.cts.BundleTest android.os.BundleTest android.os.ParcelTest Bug: 195622897 Change-Id: Ic8a0d1b6a268a81df7a1e56fa1e4b307a25210b6
* | | Merge "Adding typed Parcel read APIs 2"Hao Ke2021-10-271-41/+142
|\ \ \ | |/ / |/| |
| * | Adding typed Parcel read APIs 2Hao Ke2021-10-231-41/+142
| |/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Added typed read APIs of `readArray`, `readArrayList`, `readParcelableArray` and `readSparseArray`. To avoid unexpected types of objects being unparcelled, ideally clients would use the readTypedXXX() methods that take the parcelable creator. However, this won’t be an option for use cases involving deserializing children objects inherited from non-final parcelable or serializable objects. Currently out of ~4k parcelable classes, only ~1.5k are marked as “final” in the platform. Hence it would be necessary to introduce new replacements that take an extra Class<T> parameter and before deserializing we check that the class written on the wire is the same or a descendant from the one provided as argument. Doing so could enhance the security of Parcel deserialization, More details can be found at go/safer-parcel. Test: atest -d android.os.cts.ParcelTest Bug: 195622897 Change-Id: Iaba24c35a0c0acc77ae2d22ac77c5a90efd93329
generated by cgit v1.2.3 (git 2.25.1) at 2025-12-21 16:03:18 +0000