Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit ea58c203 authored by Julia Reynolds's avatar Julia Reynolds
Browse files

Protect against bad uris 

Test: atest
Fixes: 148260893
Change-Id: I0b7663a674689ef957c81c6ba55c4b90466bcd75
parent 374ba3fc

services/core/java/com/android/server/notification/NotificationManagerService.java

+3 −1
Original line number Diff line number Diff line
@@ -7594,7 +7594,7 @@ public class NotificationManagerService extends SystemService { 
            for (int i = 0; i < newUris.size(); i++) {

                final Uri uri = newUris.valueAt(i);

                if (oldUris == null || !oldUris.contains(uri)) {

                    if (DBG) Slog.d(TAG, key + ": granting " + uri);

                    Slog.d(TAG, key + ": granting " + uri);

                    grantUriPermission(permissionOwner, uri, newRecord.getUid(), targetPkg,

                            targetUserId);

                }
@@ -7631,6 +7631,8 @@ public class NotificationManagerService extends SystemService { 
                    targetUserId);

        } catch (RemoteException ignored) {

            // Ignored because we're in same process

        } catch (SecurityException e) {

            Slog.e(TAG, "Cannot grant uri access; " + sourceUid + " does not own " + uri);

        } finally {

            Binder.restoreCallingIdentity(ident);

        }

services/tests/uiservicestests/src/com/android/server/notification/NotificationManagerServiceTest.java

+28 −0
Original line number Diff line number Diff line
@@ -70,6 +70,7 @@ import static org.mockito.Mockito.anyInt; 
import static org.mockito.Mockito.clearInvocations;

import static org.mockito.Mockito.doAnswer;

import static org.mockito.Mockito.doNothing;

import static org.mockito.Mockito.doThrow;

import static org.mockito.Mockito.mock;

import static org.mockito.Mockito.never;

import static org.mockito.Mockito.reset;
@@ -3643,6 +3644,33 @@ public class NotificationManagerServiceTest extends UiServiceTestCase { 
                anyInt(), anyInt());

    }



    @Test

    public void updateUriPermissions_posterDoesNotOwnUri() throws Exception {

        NotificationChannel c = new NotificationChannel(

                TEST_CHANNEL_ID, TEST_CHANNEL_ID, IMPORTANCE_DEFAULT);

        c.setSound(null, Notification.AUDIO_ATTRIBUTES_DEFAULT);

        Message message1 = new Message("", 0, "");

        message1.setData("",

                ContentUris.withAppendedId(MediaStore.Images.Media.EXTERNAL_CONTENT_URI, 1));



        Notification.Builder nbA = new Notification.Builder(mContext, c.getId())

                .setContentTitle("foo")

                .setSmallIcon(android.R.drawable.sym_def_app_icon)

                .setStyle(new Notification.MessagingStyle("")

                        .addMessage(message1));

        NotificationRecord recordA = new NotificationRecord(mContext, new StatusBarNotification(

                PKG, PKG, 0, "tag", mUid, 0, nbA.build(), new UserHandle(mUid), null, 0), c);



        doThrow(new SecurityException("no access")).when(mUgm)

                .grantUriPermissionFromOwner(

                        any(), anyInt(), any(), any(), anyInt(), anyInt(), anyInt());



        when(mUgmInternal.newUriPermissionOwner(any())).thenReturn(new Binder());

        mService.updateUriPermissions(recordA, null, mContext.getPackageName(),  USER_SYSTEM);



        // yay, no crash

    }



    @Test

    public void testVisitUris() throws Exception {

        final Uri audioContents = Uri.parse("content://com.example/audio");