Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 344744b4 authored by Jeff Sharkey's avatar Jeff Sharkey
Browse files

Exposing file:// beyond your app is bad, m'kay? 

For several releases now we've told developers that sharing raw files
between apps is a recipe for trouble.  There are at least three major
problems with sending raw files:

-- Apps sending generic intents can't know who is at the other end,
so they may not have access to shared storage locations.  This is
more likely now that runtime permissions require apps to explicitly
ask users for permission.

-- Apps making files in their private storage world-readable has been
deprecated for several releases, and now in N it's fully blocked.  If
we let these intents through, the receiving app would fail to open
the file, when the real blame rests on the sending app.

-- Devices with user profiles can't share raw files when using
cross-profile intent filters, since filesystem access is fully
locked down between users.

The time has finally come to communicate clearly that if you're
sharing content between apps, you need to use content:// Uris.  We
added the simple FileProvider several years ago to give apps a clean
way to migrate with minimal work on their part.

Bug: 26860922, 9069185
Change-Id: I075f627f6a0d6c7fca2c090ca133b9aae9801c64
parent a74cce60

api/current.txt

+5 −0
Original line number Diff line number Diff line
@@ -28536,6 +28536,10 @@ package android.os { 
    field public static final int OPEN = 32; // 0x20

  }













  public class FileUriExposedException extends java.lang.RuntimeException {













    ctor public FileUriExposedException(java.lang.String);













  }



























  public class Handler {















    ctor public Handler();















    ctor public Handler(android.os.Handler.Callback);










@@ -29127,6 +29131,7 @@ package android.os {













    method public android.os.StrictMode.VmPolicy.Builder detectLeakedSqlLiteObjects();















    method public android.os.StrictMode.VmPolicy.Builder penaltyDeath();















    method public android.os.StrictMode.VmPolicy.Builder penaltyDeathOnCleartextNetwork();













    method public android.os.StrictMode.VmPolicy.Builder penaltyDeathOnFileUriExposure();















    method public android.os.StrictMode.VmPolicy.Builder penaltyDropBox();















    method public android.os.StrictMode.VmPolicy.Builder penaltyLog();















    method public android.os.StrictMode.VmPolicy.Builder setClassInstanceLimit(java.lang.Class, int);

























api/system-current.txt



+5
−0




























Original line number
Diff line number
Diff line








@@ -30421,6 +30421,10 @@ package android.os {













    field public static final int OPEN = 32; // 0x20















  }



























  public class FileUriExposedException extends java.lang.RuntimeException {













    ctor public FileUriExposedException(java.lang.String);













  }



























  public class Handler {















    ctor public Handler();















    ctor public Handler(android.os.Handler.Callback);










@@ -31020,6 +31024,7 @@ package android.os {













    method public android.os.StrictMode.VmPolicy.Builder detectLeakedSqlLiteObjects();















    method public android.os.StrictMode.VmPolicy.Builder penaltyDeath();















    method public android.os.StrictMode.VmPolicy.Builder penaltyDeathOnCleartextNetwork();













    method public android.os.StrictMode.VmPolicy.Builder penaltyDeathOnFileUriExposure();















    method public android.os.StrictMode.VmPolicy.Builder penaltyDropBox();















    method public android.os.StrictMode.VmPolicy.Builder penaltyLog();















    method public android.os.StrictMode.VmPolicy.Builder setClassInstanceLimit(java.lang.Class, int);

























api/test-current.txt



+5
−0




























Original line number
Diff line number
Diff line








@@ -28545,6 +28545,10 @@ package android.os {













    field public static final int OPEN = 32; // 0x20















  }



























  public class FileUriExposedException extends java.lang.RuntimeException {













    ctor public FileUriExposedException(java.lang.String);













  }



























  public class Handler {















    ctor public Handler();















    ctor public Handler(android.os.Handler.Callback);










@@ -29136,6 +29140,7 @@ package android.os {













    method public android.os.StrictMode.VmPolicy.Builder detectLeakedSqlLiteObjects();















    method public android.os.StrictMode.VmPolicy.Builder penaltyDeath();















    method public android.os.StrictMode.VmPolicy.Builder penaltyDeathOnCleartextNetwork();













    method public android.os.StrictMode.VmPolicy.Builder penaltyDeathOnFileUriExposure();















    method public android.os.StrictMode.VmPolicy.Builder penaltyDropBox();















    method public android.os.StrictMode.VmPolicy.Builder penaltyLog();















    method public android.os.StrictMode.VmPolicy.Builder setClassInstanceLimit(java.lang.Class, int);

























core/java/android/app/Activity.java



+7
−7




























Original line number
Diff line number
Diff line








@@ -4397,7 +4397,7 @@ public class Activity extends ContextThemeWrapper













            String resolvedType = null;















            if (fillInIntent != null) {















                fillInIntent.migrateExtraStreamToClipData();













                fillInIntent.prepareToLeaveProcess();













                fillInIntent.prepareToLeaveProcess(this);















                resolvedType = fillInIntent.resolveTypeIfNeeded(getContentResolver());















            }















            int result = ActivityManagerNative.getDefault()










@@ -4629,7 +4629,7 @@ public class Activity extends ContextThemeWrapper













                    intent.putExtra(Intent.EXTRA_REFERRER, referrer);















                }















                intent.migrateExtraStreamToClipData();













                intent.prepareToLeaveProcess();













                intent.prepareToLeaveProcess(this);















                result = ActivityManagerNative.getDefault()















                    .startActivity(mMainThread.getApplicationThread(), getBasePackageName(),















                            intent, intent.resolveTypeIfNeeded(getContentResolver()), mToken,










@@ -4700,7 +4700,7 @@ public class Activity extends ContextThemeWrapper













        if (mParent == null) {















            try {















                intent.migrateExtraStreamToClipData();













                intent.prepareToLeaveProcess();













                intent.prepareToLeaveProcess(this);















                return ActivityManagerNative.getDefault()















                    .startNextMatchingActivity(mToken, intent, options);















            } catch (RemoteException e) {










@@ -5128,7 +5128,7 @@ public class Activity extends ContextThemeWrapper













            if (false) Log.v(TAG, "Finishing self: token=" + mToken);















            try {















                if (resultData != null) {













                    resultData.prepareToLeaveProcess();













                    resultData.prepareToLeaveProcess(this);















                }















                if (ActivityManagerNative.getDefault()















                        .finishActivity(mToken, resultCode, resultData, finishTask)) {










@@ -5355,7 +5355,7 @@ public class Activity extends ContextThemeWrapper













            @PendingIntent.Flags int flags) {















        String packageName = getPackageName();















        try {













            data.prepareToLeaveProcess();













            data.prepareToLeaveProcess(this);















            IIntentSender target =















                ActivityManagerNative.getDefault().getIntentSender(















                        ActivityManager.INTENT_SENDER_ACTIVITY_RESULT, packageName,










@@ -6335,10 +6335,10 @@ public class Activity extends ContextThemeWrapper













                resultData = mResultData;















            }















            if (resultData != null) {













                resultData.prepareToLeaveProcess();













                resultData.prepareToLeaveProcess(this);















            }















            try {













                upIntent.prepareToLeaveProcess();













                upIntent.prepareToLeaveProcess(this);















                return ActivityManagerNative.getDefault().navigateUpTo(mToken, upIntent,















                        resultCode, resultData);















            } catch (RemoteException e) {

































core/java/android/app/ActivityThread.java



+13
−6




























Original line number
Diff line number
Diff line








@@ -56,6 +56,7 @@ import android.net.Uri;













import android.opengl.GLUtils;















import android.os.AsyncTask;















import android.os.Binder;













import android.os.Build;















import android.os.Bundle;















import android.os.Debug;















import android.os.DropBoxManager;










@@ -4959,16 +4960,22 @@ public final class ActivityThread {













        }































        /**













         * For apps targetting SDK Honeycomb or later, we don't allow













         * network usage on the main event loop / UI thread.













         *













         * Note to those grepping:  this is what ultimately throws













         * NetworkOnMainThreadException ...













         * For apps targetting Honeycomb or later, we don't allow network usage













         * on the main event loop / UI thread. This is what ultimately throws













         * {@link NetworkOnMainThreadException}.















         */













        if (data.appInfo.targetSdkVersion > 9) {













        if (data.appInfo.targetSdkVersion >= Build.VERSION_CODES.HONEYCOMB) {















            StrictMode.enableDeathOnNetwork();















        }





























        /**













         * For apps targetting N or later, we don't allow file:// Uri exposure.













         * This is what ultimately throws {@link FileUriExposedException}.













         */













        if (data.appInfo.targetSdkVersion >= Build.VERSION_CODES.N) {













            StrictMode.enableDeathOnFileUriExposure();













        }





























        NetworkSecurityPolicy.getInstance().setCleartextTrafficPermitted(















                (data.appInfo.flags & ApplicationInfo.FLAG_USES_CLEARTEXT_TRAFFIC) != 0);