Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 5ab3c0d4 authored by Pinyao Ting's avatar Pinyao Ting Committed by android-build-merger
Browse files

Merge "fixes a security vulnerability in slice provider" into qt-dev am: bc59740f 

am: e3f595c0

Change-Id: I9462bb67bf30732d570c8b84a0d9e4839aef9be4
parents f465d5a2 e3f595c0

core/java/android/app/slice/SliceProvider.java

+14 −6
Original line number Original line Diff line number Diff line
@@ -355,7 +355,8 @@ public abstract class SliceProvider extends ContentProvider { 
    @Override

    @Override

    public Bundle call(String method, String arg, Bundle extras) {

    public Bundle call(String method, String arg, Bundle extras) {

        if (method.equals(METHOD_SLICE)) {

        if (method.equals(METHOD_SLICE)) {

            Uri uri = getUriWithoutUserId(extras.getParcelable(EXTRA_BIND_URI));

            Uri uri = getUriWithoutUserId(validateIncomingUriOrNull(

                    extras.getParcelable(EXTRA_BIND_URI)));

            List<SliceSpec> supportedSpecs = extras.getParcelableArrayList(EXTRA_SUPPORTED_SPECS);

            List<SliceSpec> supportedSpecs = extras.getParcelableArrayList(EXTRA_SUPPORTED_SPECS);





            String callingPackage = getCallingPackage();

            String callingPackage = getCallingPackage();
@@ -369,7 +370,7 @@ public abstract class SliceProvider extends ContentProvider { 
        } else if (method.equals(METHOD_MAP_INTENT)) {

        } else if (method.equals(METHOD_MAP_INTENT)) {

            Intent intent = extras.getParcelable(EXTRA_INTENT);

            Intent intent = extras.getParcelable(EXTRA_INTENT);

            if (intent == null) return null;

            if (intent == null) return null;

            Uri uri = onMapIntentToUri(intent);

            Uri uri = validateIncomingUriOrNull(onMapIntentToUri(intent));

            List<SliceSpec> supportedSpecs = extras.getParcelableArrayList(EXTRA_SUPPORTED_SPECS);

            List<SliceSpec> supportedSpecs = extras.getParcelableArrayList(EXTRA_SUPPORTED_SPECS);

            Bundle b = new Bundle();

            Bundle b = new Bundle();

            if (uri != null) {

            if (uri != null) {
@@ -383,24 +384,27 @@ public abstract class SliceProvider extends ContentProvider { 
        } else if (method.equals(METHOD_MAP_ONLY_INTENT)) {

        } else if (method.equals(METHOD_MAP_ONLY_INTENT)) {

            Intent intent = extras.getParcelable(EXTRA_INTENT);

            Intent intent = extras.getParcelable(EXTRA_INTENT);

            if (intent == null) return null;

            if (intent == null) return null;

            Uri uri = onMapIntentToUri(intent);

            Uri uri = validateIncomingUriOrNull(onMapIntentToUri(intent));

            Bundle b = new Bundle();

            Bundle b = new Bundle();

            b.putParcelable(EXTRA_SLICE, uri);

            b.putParcelable(EXTRA_SLICE, uri);

            return b;

            return b;

        } else if (method.equals(METHOD_PIN)) {

        } else if (method.equals(METHOD_PIN)) {

            Uri uri = getUriWithoutUserId(extras.getParcelable(EXTRA_BIND_URI));

            Uri uri = getUriWithoutUserId(validateIncomingUriOrNull(

                    extras.getParcelable(EXTRA_BIND_URI)));

            if (Binder.getCallingUid() != Process.SYSTEM_UID) {

            if (Binder.getCallingUid() != Process.SYSTEM_UID) {

                throw new SecurityException("Only the system can pin/unpin slices");

                throw new SecurityException("Only the system can pin/unpin slices");

            }

            }

            handlePinSlice(uri);

            handlePinSlice(uri);

        } else if (method.equals(METHOD_UNPIN)) {

        } else if (method.equals(METHOD_UNPIN)) {

            Uri uri = getUriWithoutUserId(extras.getParcelable(EXTRA_BIND_URI));

            Uri uri = getUriWithoutUserId(validateIncomingUriOrNull(

                    extras.getParcelable(EXTRA_BIND_URI)));

            if (Binder.getCallingUid() != Process.SYSTEM_UID) {

            if (Binder.getCallingUid() != Process.SYSTEM_UID) {

                throw new SecurityException("Only the system can pin/unpin slices");

                throw new SecurityException("Only the system can pin/unpin slices");

            }

            }

            handleUnpinSlice(uri);

            handleUnpinSlice(uri);

        } else if (method.equals(METHOD_GET_DESCENDANTS)) {

        } else if (method.equals(METHOD_GET_DESCENDANTS)) {

            Uri uri = getUriWithoutUserId(extras.getParcelable(EXTRA_BIND_URI));

            Uri uri = getUriWithoutUserId(

                    validateIncomingUriOrNull(extras.getParcelable(EXTRA_BIND_URI)));

            Bundle b = new Bundle();

            Bundle b = new Bundle();

            b.putParcelableArrayList(EXTRA_SLICE_DESCENDANTS,

            b.putParcelableArrayList(EXTRA_SLICE_DESCENDANTS,

                    new ArrayList<>(handleGetDescendants(uri)));

                    new ArrayList<>(handleGetDescendants(uri)));
@@ -416,6 +420,10 @@ public abstract class SliceProvider extends ContentProvider { 
        return super.call(method, arg, extras);

        return super.call(method, arg, extras);

    }

    }





    private Uri validateIncomingUriOrNull(Uri uri) {

        return uri == null ? null : validateIncomingUri(uri);

    }



    private Collection<Uri> handleGetDescendants(Uri uri) {

    private Collection<Uri> handleGetDescendants(Uri uri) {

        mCallback = "onGetSliceDescendants";

        mCallback = "onGetSliceDescendants";

        return onGetSliceDescendants(uri);

        return onGetSliceDescendants(uri);