Validate user-supplied URIs in DocumentsProvider calls (cdb91341) · Commits · e / os / android_frameworks_base

core/java/android/provider/DocumentsProvider.java

+18 −7

Original line number	Diff line number	Diff line
		@@ -232,6 +232,10 @@ public abstract class DocumentsProvider extends ContentProvider {
		}
		}

		private Uri validateIncomingNullableUri(@Nullable Uri uri) {
		return uri == null ? null : validateIncomingUri(uri);
		}

		/**
		* Create a new document and return its newly generated
		* {@link Document#COLUMN_DOCUMENT_ID}. You must allocate a new
		@@ -1076,11 +1080,18 @@ public abstract class DocumentsProvider extends ContentProvider {
		final Context context = getContext();
		final Bundle out = new Bundle();

		final Uri extraUri = validateIncomingNullableUri(
		extras.getParcelable(DocumentsContract.EXTRA_URI));
		final Uri extraTargetUri = validateIncomingNullableUri(
		extras.getParcelable(DocumentsContract.EXTRA_TARGET_URI));
		final Uri extraParentUri = validateIncomingNullableUri(
		extras.getParcelable(DocumentsContract.EXTRA_PARENT_URI));

		if (METHOD_EJECT_ROOT.equals(method)) {
		// Given that certain system apps can hold MOUNT_UNMOUNT permission, but only apps
		// signed with platform signature can hold MANAGE_DOCUMENTS, we are going to check for
		// MANAGE_DOCUMENTS or associated URI permission here instead
		final Uri rootUri = extras.getParcelable(DocumentsContract.EXTRA_URI);
		final Uri rootUri = extraUri;
		enforceWritePermissionInner(rootUri, getCallingPackage(), getCallingAttributionTag(),
		null);

		@@ -1090,7 +1101,7 @@ public abstract class DocumentsProvider extends ContentProvider {
		return out;
		}

		final Uri documentUri = extras.getParcelable(DocumentsContract.EXTRA_URI);
		final Uri documentUri = extraUri;
		final String authority = documentUri.getAuthority();
		final String documentId = DocumentsContract.getDocumentId(documentUri);

		@@ -1106,7 +1117,7 @@ public abstract class DocumentsProvider extends ContentProvider {
		enforceReadPermissionInner(documentUri, getCallingPackage(),
		getCallingAttributionTag(), null);

		final Uri childUri = extras.getParcelable(DocumentsContract.EXTRA_TARGET_URI);
		final Uri childUri = extraTargetUri;
		final String childAuthority = childUri.getAuthority();
		final String childId = DocumentsContract.getDocumentId(childUri);

		@@ -1173,7 +1184,7 @@ public abstract class DocumentsProvider extends ContentProvider {
		revokeDocumentPermission(documentId);

		} else if (METHOD_COPY_DOCUMENT.equals(method)) {
		final Uri targetUri = extras.getParcelable(DocumentsContract.EXTRA_TARGET_URI);
		final Uri targetUri = extraTargetUri;
		final String targetId = DocumentsContract.getDocumentId(targetUri);

		enforceReadPermissionInner(documentUri, getCallingPackage(),
		@@ -1197,9 +1208,9 @@ public abstract class DocumentsProvider extends ContentProvider {
		}

		} else if (METHOD_MOVE_DOCUMENT.equals(method)) {
		final Uri parentSourceUri = extras.getParcelable(DocumentsContract.EXTRA_PARENT_URI);
		final Uri parentSourceUri = extraParentUri;
		final String parentSourceId = DocumentsContract.getDocumentId(parentSourceUri);
		final Uri targetUri = extras.getParcelable(DocumentsContract.EXTRA_TARGET_URI);
		final Uri targetUri = extraTargetUri;
		final String targetId = DocumentsContract.getDocumentId(targetUri);

		enforceWritePermissionInner(documentUri, getCallingPackage(),
		@@ -1225,7 +1236,7 @@ public abstract class DocumentsProvider extends ContentProvider {
		}

		} else if (METHOD_REMOVE_DOCUMENT.equals(method)) {
		final Uri parentSourceUri = extras.getParcelable(DocumentsContract.EXTRA_PARENT_URI);
		final Uri parentSourceUri = extraParentUri;
		final String parentSourceId = DocumentsContract.getDocumentId(parentSourceUri);

		enforceReadPermissionInner(parentSourceUri, getCallingPackage(),