Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 657903f7 authored by Michael Mikhail's avatar Michael Mikhail Committed by Automerger Merge Worker
Browse files

Merge "Verify URI permissions in MediaMetadata" into udc-dev am: 9dd2c381... 

Merge "Verify URI permissions in MediaMetadata" into udc-dev am: 9dd2c381 am: 219e58f9 am: 015b8129

Original change: https://googleplex-android-review.googlesource.com/c/platform/frameworks/base/+/22956849



Change-Id: I5a2ba1268570af964c50d42156bd157ea594198c
Signed-off-by: default avatarAutomerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
parents b5bd238c 015b8129

services/core/java/com/android/server/media/MediaSessionRecord.java

+42 −9
Original line number Diff line number Diff line
@@ -33,6 +33,8 @@ import android.app.compat.CompatChanges; 
import android.compat.annotation.ChangeId;

import android.compat.annotation.EnabledSince;

import android.content.ComponentName;

import android.content.ContentProvider;

import android.content.ContentResolver;

import android.content.Context;

import android.content.Intent;

import android.content.pm.PackageManager;
@@ -74,6 +76,7 @@ import android.util.Log; 
import android.view.KeyEvent;



import com.android.server.LocalServices;

import com.android.server.uri.UriGrantsManagerInternal;



import java.io.PrintWriter;

import java.util.ArrayList;
@@ -101,6 +104,10 @@ public class MediaSessionRecord implements IBinder.DeathRecipient, MediaSessionR 
    static final long THROW_FOR_INVALID_BROADCAST_RECEIVER = 270049379L;



    private static final String TAG = "MediaSessionRecord";

    private static final String[] ART_URIS = new String[] {

            MediaMetadata.METADATA_KEY_ALBUM_ART_URI,

            MediaMetadata.METADATA_KEY_ART_URI,

            MediaMetadata.METADATA_KEY_DISPLAY_ICON_URI};

    private static final boolean DEBUG = Log.isLoggable(TAG, Log.DEBUG);



    /**
@@ -154,6 +161,7 @@ public class MediaSessionRecord implements IBinder.DeathRecipient, MediaSessionR 
    private final SessionStub mSession;

    private final SessionCb mSessionCb;

    private final MediaSessionService mService;

    private final UriGrantsManagerInternal mUgmInternal;

    private final Context mContext;

    private final boolean mVolumeAdjustmentForRemoteGroupSessions;
@@ -215,6 +223,7 @@ public class MediaSessionRecord implements IBinder.DeathRecipient, MediaSessionR 
        mAudioManager = (AudioManager) mContext.getSystemService(Context.AUDIO_SERVICE);

        mAudioAttrs = DEFAULT_ATTRIBUTES;

        mPolicies = policies;

        mUgmInternal = LocalServices.getService(UriGrantsManagerInternal.class);

        mVolumeAdjustmentForRemoteGroupSessions = mContext.getResources().getBoolean(

                com.android.internal.R.bool.config_volumeAdjustmentForRemoteGroupSessions);
@@ -1080,21 +1089,45 @@ public class MediaSessionRecord implements IBinder.DeathRecipient, MediaSessionR 
        public void setMetadata(MediaMetadata metadata, long duration, String metadataDescription)

                throws RemoteException {

            synchronized (mLock) {

                MediaMetadata temp = metadata == null ? null : new MediaMetadata.Builder(metadata)

                        .build();

                // This is to guarantee that the underlying bundle is unparceled

                // before we set it to prevent concurrent reads from throwing an

                // exception

                if (temp != null) {

                    temp.size();

                }

                mMetadata = temp;

                mDuration = duration;

                mMetadataDescription = metadataDescription;

                mMetadata = sanitizeMediaMetadata(metadata);

            }

            mHandler.post(MessageHandler.MSG_UPDATE_METADATA);

        }



        private MediaMetadata sanitizeMediaMetadata(MediaMetadata metadata) {

            if (metadata == null) {

                return null;

            }

            MediaMetadata.Builder metadataBuilder = new MediaMetadata.Builder(metadata);

            for (String key: ART_URIS) {

                String uriString = metadata.getString(key);

                if (TextUtils.isEmpty(uriString)) {

                    continue;

                }

                Uri uri = Uri.parse(uriString);

                if (!ContentResolver.SCHEME_CONTENT.equals(uri.getScheme())) {

                    continue;

                }

                try {

                    mUgmInternal.checkGrantUriPermission(getUid(),

                            getPackageName(),

                            ContentProvider.getUriWithoutUserId(uri),

                            Intent.FLAG_GRANT_READ_URI_PERMISSION,

                            ContentProvider.getUserIdFromUri(uri, getUserId()));

                } catch (SecurityException e) {

                    metadataBuilder.putString(key, null);

                }

            }

            MediaMetadata sanitizedMetadata = metadataBuilder.build();

            // sanitizedMetadata.size() guarantees that the underlying bundle is unparceled

            // before we set it to prevent concurrent reads from throwing an

            // exception

            sanitizedMetadata.size();

            return sanitizedMetadata;

        }



        @Override

        public void setPlaybackState(PlaybackState state) throws RemoteException {

            int oldState = mPlaybackState == null