Android/frameworks_base
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Validate user-supplied tree URIs in DocumentsProvider calls

Browse Source 
Currently we only validate DocumentsContract.EXTRA_URI, this change
validates other URIs suchs as DocumentsContract.EXTRA_TARGET_URI and
DocumentsContract.EXTRA_PARENT_URI as well

Bug: 157320716
Test: Manually using the test app in b/157320716#comment1
Change-Id: I90fd1e62aa7dc333bf32eb80ccc5b181a1d54e41
Merged-In: I90fd1e62aa7dc333bf32eb80ccc5b181a1d54e41
(cherry picked from commit b9f4fb7928)
This commit is contained in:
Abhijeet Kaur
2020-08-12 17:34:22 +01:00
parent 249b137d92
commit eca247f2d3
1 changed files with 12 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
core/java/android/provider/DocumentsProvider.java
View File

@@ -218,8 +218,15 @@ public abstract class DocumentsProvider extends ContentProvider {
}
/** {@hide} */
private void enforceTree(Uri documentUri) {
if (isTreeUri(documentUri)) {
private void enforceTreeForExtraUris(Bundle extras) {
enforceTree(extras.getParcelable(DocumentsContract.EXTRA_URI));
enforceTree(extras.getParcelable(DocumentsContract.EXTRA_PARENT_URI));
enforceTree(extras.getParcelable(DocumentsContract.EXTRA_TARGET_URI));
}
/** {@hide} */
private void enforceTree(@Nullable Uri documentUri) {
if (documentUri != null && isTreeUri(documentUri)) {
final String parent = getTreeDocumentId(documentUri);
final String child = getDocumentId(documentUri);
if (Objects.equals(parent, child)) {
@@ -1080,6 +1087,9 @@ public abstract class DocumentsProvider extends ContentProvider {
final Context context = getContext();
final Bundle out = new Bundle();
// If the URI is a tree URI performs some validation.
enforceTreeForExtraUris(extras);
final Uri extraUri = validateIncomingNullableUri(
extras.getParcelable(DocumentsContract.EXTRA_URI));
final Uri extraTargetUri = validateIncomingNullableUri(
@@ -1110,9 +1120,6 @@ public abstract class DocumentsProvider extends ContentProvider {
"Requested authority " + authority + " doesn't match provider " + mAuthority);
}
// If the URI is a tree URI performs some validation.
enforceTree(documentUri);
if (METHOD_IS_CHILD_DOCUMENT.equals(method)) {
enforceReadPermissionInner(documentUri, getCallingPackage(),
getCallingAttributionTag(), null);