Commit 80f6a985 authored by Seigo Nonaka's avatar Seigo Nonaka

Stop loading other package's font by default.

Since CONTEXT_RESTRICTED is not a default flag of createPackageContext,
we can't rely on it for preventing unexpected font injections.
To protect developers and existing apps from a risk of font injection,
stop loading font from other package's resouce unless the developer
explicitly set CONTEXT_IGNORE_SECURITY.

This CL contains Iac2a6fb3d82ef23d5ca6ee33f4aaa9ed28455271 by manual
merging to handle repository split.

Bug: 62813533
Bug: 62879353
Test: Manually done
Merged-In: I4442ddc48dadb5c968b444be86038b602074d301
Change-Id: I4442ddc48dadb5c968b444be86038b602074d301
parent 2ef19c1d
......@@ -2137,6 +2137,14 @@ class ContextImpl extends Context {
return (mFlags & Context.CONTEXT_CREDENTIAL_PROTECTED_STORAGE) != 0;
}
@Override
public boolean canLoadUnsafeResources() {
if (getPackageName().equals(getOpPackageName())) {
return true;
}
return (mFlags & Context.CONTEXT_IGNORE_SECURITY) != 0;
}
@Override
public Display getDisplay() {
if (mDisplay == null) {
......
......@@ -4657,6 +4657,12 @@ public abstract class Context {
@SystemApi
public abstract boolean isCredentialProtectedStorage();
/**
* Returns true if the context can load unsafe resources, e.g. fonts.
* @hide
*/
public abstract boolean canLoadUnsafeResources();
/**
* @hide
*/
......
......@@ -920,6 +920,12 @@ public class ContextWrapper extends Context {
return mBase.isCredentialProtectedStorage();
}
/** {@hide} */
@Override
public boolean canLoadUnsafeResources() {
return mBase.canLoadUnsafeResources();
}
/**
* @hide
*/
......
......@@ -913,7 +913,7 @@ public class TextView extends View implements ViewTreeObserver.OnPreDrawListener
break;
case com.android.internal.R.styleable.TextAppearance_fontFamily:
if (!context.isRestricted()) {
if (!context.isRestricted() && context.canLoadUnsafeResources()) {
try {
fontTypeface = appearance.getFont(attr);
} catch (UnsupportedOperationException
......@@ -1233,7 +1233,7 @@ public class TextView extends View implements ViewTreeObserver.OnPreDrawListener
break;
case com.android.internal.R.styleable.TextView_fontFamily:
if (!context.isRestricted()) {
if (!context.isRestricted() && context.canLoadUnsafeResources()) {
try {
fontTypeface = a.getFont(attr);
} catch (UnsupportedOperationException | Resources.NotFoundException e) {
......@@ -3417,7 +3417,7 @@ public class TextView extends View implements ViewTreeObserver.OnPreDrawListener
Typeface fontTypeface = null;
String fontFamily = null;
if (!context.isRestricted()) {
if (!context.isRestricted() && context.canLoadUnsafeResources()) {
try {
fontTypeface = ta.getFont(R.styleable.TextAppearance_fontFamily);
} catch (UnsupportedOperationException | Resources.NotFoundException e) {
......
......@@ -808,6 +808,12 @@ public class MockContext extends Context {
throw new UnsupportedOperationException();
}
/** {@hide} */
@Override
public boolean canLoadUnsafeResources() {
throw new UnsupportedOperationException();
}
/** {@hide} */
@Override
public IBinder getActivityToken() {
......
......@@ -2008,6 +2008,11 @@ public class BridgeContext extends Context {
return false;
}
@Override
public boolean canLoadUnsafeResources() {
return false;
}
/**
* The cached value depends on
* <ol>
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment