Validate user-supplied tree URIs in DocumentsProvider calls (b9f4fb79) · Commits · e / os / android_frameworks_base

core/java/android/provider/DocumentsProvider.java

+12 −5

Original line number	Diff line number	Diff line
		@@ -218,8 +218,15 @@ public abstract class DocumentsProvider extends ContentProvider {
		}

		/** {@hide} */
		private void enforceTree(Uri documentUri) {
		if (isTreeUri(documentUri)) {
		private void enforceTreeForExtraUris(Bundle extras) {
		enforceTree(extras.getParcelable(DocumentsContract.EXTRA_URI));
		enforceTree(extras.getParcelable(DocumentsContract.EXTRA_PARENT_URI));
		enforceTree(extras.getParcelable(DocumentsContract.EXTRA_TARGET_URI));
		}

		/** {@hide} */
		private void enforceTree(@Nullable Uri documentUri) {
		if (documentUri != null && isTreeUri(documentUri)) {
		final String parent = getTreeDocumentId(documentUri);
		final String child = getDocumentId(documentUri);
		if (Objects.equals(parent, child)) {
		@@ -1076,6 +1083,9 @@ public abstract class DocumentsProvider extends ContentProvider {
		final Context context = getContext();
		final Bundle out = new Bundle();

		// If the URI is a tree URI performs some validation.
		enforceTreeForExtraUris(extras);

		if (METHOD_EJECT_ROOT.equals(method)) {
		// Given that certain system apps can hold MOUNT_UNMOUNT permission, but only apps
		// signed with platform signature can hold MANAGE_DOCUMENTS, we are going to check for
		@@ -1099,9 +1109,6 @@ public abstract class DocumentsProvider extends ContentProvider {
		"Requested authority " + authority + " doesn't match provider " + mAuthority);
		}

		// If the URI is a tree URI performs some validation.
		enforceTree(documentUri);

		if (METHOD_IS_CHILD_DOCUMENT.equals(method)) {
		enforceReadPermissionInner(documentUri, getCallingPackage(),
		getCallingAttributionTag(), null);