diff options
| author | Jeff Sharkey <jsharkey@android.com> | 2018-09-24 13:23:57 -0600 |
|---|---|---|
| committer | Jeff Sharkey <jsharkey@android.com> | 2018-10-03 14:26:17 -0600 |
| commit | c084ddbf826b25808c4553e4b5992c6723eac4ea (patch) | |
| tree | d329cfb67ece889cc707f1de58da28877348db8f /tools/aapt2/java/JavaClassGenerator.cpp | |
| parent | 37a944e88334a8d179de5be0750bb716354d227a (diff) | |
Recover shady content:// paths.
The path-permission element offers prefix or regex style matching of
paths, but most providers internally use UriMatcher to decide what
to do with an incoming Uri.
This causes trouble because UriMatcher uses Uri.getPathSegments(),
which quietly ignores "empty" paths. Consider this example:
<path-permission android:pathPrefix="/private" ... />
uriMatcher.addURI("com.example", "/private", CODE_PRIVATE);
content://com.example//private
The Uri above will pass the security check, since it's not
technically a prefix match. But the UriMatcher will then match it
as CODE_PRIVATE, since it ignores the "//" zero-length path.
Since we can't safely change the behavior of either path-permission
or UriMatcher, we're left with recovering these shady paths by
trimming away zero-length paths.
Bug: 112555574
Test: atest android.appsecurity.cts.AppSecurityTests
Test: atest FrameworksCoreTests:android.content.ContentProviderTest
Merged-In: Ibadbfa4fc904ec54780c8102958735b03293fb9a
Change-Id: Ibadbfa4fc904ec54780c8102958735b03293fb9a
Diffstat (limited to 'tools/aapt2/java/JavaClassGenerator.cpp')
0 files changed, 0 insertions, 0 deletions