Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit b7773ce8 authored by Seigo Nonaka's avatar Seigo Nonaka Committed by Neil Fuller
Browse files

Stop loading other package's font by default. 

Since CONTEXT_RESTRICTED is not a default flag of createPackageContext,
we can't rely on it for preventing unexpected font injections.
To protect developers and existing apps from a risk of font injection,
stop loading font from other package's resouce unless the developer
explicitly set CONTEXT_IGNORE_SECURITY.

Bug: 62813533
Bug: 62879353
Test: Manually done
Merged-In: I4442ddc48dadb5c968b444be86038b602074d301
Change-Id: I4442ddc48dadb5c968b444be86038b602074d301
(cherry picked from commit 6d6cd686)
parent 58ad534d

core/java/android/app/ContextImpl.java

+8 −0
Original line number Diff line number Diff line
@@ -2156,6 +2156,14 @@ class ContextImpl extends Context { 
        return (mFlags & Context.CONTEXT_CREDENTIAL_PROTECTED_STORAGE) != 0;

    }



    @Override

    public boolean canLoadUnsafeResources() {

        if (getPackageName().equals(getOpPackageName())) {

            return true;

        }

        return (mFlags & Context.CONTEXT_IGNORE_SECURITY) != 0;

    }



    @Override

    public Display getDisplay() {

        if (mDisplay == null) {

core/java/android/content/Context.java

+6 −0
Original line number Diff line number Diff line
@@ -4680,6 +4680,12 @@ public abstract class Context { 
    @SystemApi

    public abstract boolean isCredentialProtectedStorage();



    /**

     * Returns true if the context can load unsafe resources, e.g. fonts.

     * @hide

     */

    public abstract boolean canLoadUnsafeResources();



    /**

     * @hide

     */

core/java/android/content/ContextWrapper.java

+6 −0
Original line number Diff line number Diff line
@@ -925,6 +925,12 @@ public class ContextWrapper extends Context { 
        return mBase.isCredentialProtectedStorage();

    }



    /** {@hide} */

    @Override

    public boolean canLoadUnsafeResources() {

        return mBase.canLoadUnsafeResources();

    }



    /**

     * @hide

     */

core/java/android/widget/TextView.java

+3 −3
Original line number Diff line number Diff line
@@ -913,7 +913,7 @@ public class TextView extends View implements ViewTreeObserver.OnPreDrawListener 
                        break;



                    case com.android.internal.R.styleable.TextAppearance_fontFamily:

                        if (!context.isRestricted()) {

                        if (!context.isRestricted() && context.canLoadUnsafeResources()) {

                            try {

                                fontTypeface = appearance.getFont(attr);

                            } catch (UnsupportedOperationException
@@ -1233,7 +1233,7 @@ public class TextView extends View implements ViewTreeObserver.OnPreDrawListener 
                    break;



                case com.android.internal.R.styleable.TextView_fontFamily:

                    if (!context.isRestricted()) {

                    if (!context.isRestricted() && context.canLoadUnsafeResources()) {

                        try {

                            fontTypeface = a.getFont(attr);

                        } catch (UnsupportedOperationException | Resources.NotFoundException e) {
@@ -3417,7 +3417,7 @@ public class TextView extends View implements ViewTreeObserver.OnPreDrawListener 


        Typeface fontTypeface = null;

        String fontFamily = null;

        if (!context.isRestricted()) {

        if (!context.isRestricted() && context.canLoadUnsafeResources()) {

            try {

                fontTypeface = ta.getFont(R.styleable.TextAppearance_fontFamily);

            } catch (UnsupportedOperationException | Resources.NotFoundException e) {

test-runner/src/android/test/mock/MockContext.java

+6 −0
Original line number Diff line number Diff line
@@ -814,6 +814,12 @@ public class MockContext extends Context { 
        throw new UnsupportedOperationException();

    }



    /** {@hide} */

    @Override

    public boolean canLoadUnsafeResources() {

        throw new UnsupportedOperationException();

    }



    /** {@hide} */

    @Override

    public IBinder getActivityToken() {