diff options
| author | Abhijeet Kaur <abkaur@google.com> | 2020-08-12 17:34:22 +0100 |
|---|---|---|
| committer | android-build-team Robot <android-build-team-robot@google.com> | 2020-10-13 01:07:13 +0000 |
| commit | 0b4cd450afbe085def06025b9ac1f6996217bfcb (patch) | |
| tree | 602ac6a09fd8ccde8b59cb4c59231bc91eeb0f79 | |
| parent | cdb913418a5a19c253daff3d6d9c6c2fc5ff0d61 (diff) | |
| download | base-0b4cd450afbe085def06025b9ac1f6996217bfcb.tar.gz | |
Validate user-supplied tree URIs in DocumentsProvider calls
Currently we only validate DocumentsContract.EXTRA_URI, this change
validates other URIs suchs as DocumentsContract.EXTRA_TARGET_URI and
DocumentsContract.EXTRA_PARENT_URI as well
Bug: 157320716
Test: Manually using the test app in b/157320716#comment1
Change-Id: I90fd1e62aa7dc333bf32eb80ccc5b181a1d54e41
Merged-In: I90fd1e62aa7dc333bf32eb80ccc5b181a1d54e41
(cherry picked from commit b9f4fb792812f9a38ac54e69be6f121f7367c017)
(cherry picked from commit eca247f2d33b18d14e0568512a7ee003cbbcd4a9)
| -rw-r--r-- | core/java/android/provider/DocumentsProvider.java | 17 |
1 files changed, 12 insertions, 5 deletions
diff --git a/core/java/android/provider/DocumentsProvider.java b/core/java/android/provider/DocumentsProvider.java index 91b591c7b77e..4e1f81919c7d 100644 --- a/core/java/android/provider/DocumentsProvider.java +++ b/core/java/android/provider/DocumentsProvider.java @@ -218,8 +218,15 @@ public abstract class DocumentsProvider extends ContentProvider { } /** {@hide} */ - private void enforceTree(Uri documentUri) { - if (isTreeUri(documentUri)) { + private void enforceTreeForExtraUris(Bundle extras) { + enforceTree(extras.getParcelable(DocumentsContract.EXTRA_URI)); + enforceTree(extras.getParcelable(DocumentsContract.EXTRA_PARENT_URI)); + enforceTree(extras.getParcelable(DocumentsContract.EXTRA_TARGET_URI)); + } + + /** {@hide} */ + private void enforceTree(@Nullable Uri documentUri) { + if (documentUri != null && isTreeUri(documentUri)) { final String parent = getTreeDocumentId(documentUri); final String child = getDocumentId(documentUri); if (Objects.equals(parent, child)) { @@ -1080,6 +1087,9 @@ public abstract class DocumentsProvider extends ContentProvider { final Context context = getContext(); final Bundle out = new Bundle(); + // If the URI is a tree URI performs some validation. + enforceTreeForExtraUris(extras); + final Uri extraUri = validateIncomingNullableUri( extras.getParcelable(DocumentsContract.EXTRA_URI)); final Uri extraTargetUri = validateIncomingNullableUri( @@ -1110,9 +1120,6 @@ public abstract class DocumentsProvider extends ContentProvider { "Requested authority " + authority + " doesn't match provider " + mAuthority); } - // If the URI is a tree URI performs some validation. - enforceTree(documentUri); - if (METHOD_IS_CHILD_DOCUMENT.equals(method)) { enforceReadPermissionInner(documentUri, getCallingPackage(), getCallingAttributionTag(), null); |