Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 674cc4be authored by Yohei Yukawa's avatar Yohei Yukawa
Browse files

Clarify that InputMethod.attachToken() can be called at most once 

I don't know whether this comment was valid in the initial
implementation or not, in the current system InputMethod.attachToken()
is not (indirectly) exposed to the IME client process vir Binder
interface.  The only Binder interface that is exposed from the IME
process to the IME client process is IInputMethodSession, not
IInputMethod that implements attachToken().

One may think that a malicious app could try to call
Context.bindService() with InputMethod.SERVICE_INTERFACE to directly
obtain IInputMethod, but it should fail because IMEs must be
protecting their InputMethodService with BIND_INPUT_METHOD so that
only the system can bind to them.

This CL clarifies this point in both JavaDoc and its implementation.
If an IME happened to receive multiple attachToken(), it is an OS bug
and worth letting people know by crashing the IME process.

Fix: 114164394
Test: atest CtsInputMethodTestCases CtsInputMethodServiceHostTestCases
Change-Id: Ia1e1d5ce020155b906e42a222f27b76905217395
parent 029f67f8

core/java/android/inputmethodservice/InputMethodService.java

+5 −3
Original line number Diff line number Diff line
@@ -450,11 +450,13 @@ public class InputMethodService extends AbstractInputMethodService { 
        @MainThread

        @Override

        public void attachToken(IBinder token) {

            if (mToken == null) {

            if (mToken != null) {

                throw new IllegalStateException(

                        "attachToken() must be called at most once. token=" + token);

            }

            mToken = token;

            mWindow.setToken(token);

        }

        }



        /**

         * {@inheritDoc}

core/java/android/view/inputmethod/InputMethod.java

+4 −4
Original line number Diff line number Diff line
@@ -87,9 +87,9 @@ public interface InputMethod { 
     * This token <strong>must not</strong> be passed to applications, since

     * it grants special priviledges that should not be given to applications.

     *

     * <p>Note: to protect yourself from malicious clients, you should only

     * accept the first token given to you.  Any after that may come from the

     * client.

     * <p>The system guarantees that this method is called back between

     * {@link InputMethodService#onCreate()} and {@link InputMethodService#onDestroy()}

     * at most once.

     */

    @MainThread

    public void attachToken(IBinder token);