commit 344744b49633a7f8aa0c8e43469bbfcf9d8e2cab
author Jeff Sharkey <jsharkey@android.com> Thu Jan 28 19:03:30 2016 -0700
committer Jeff Sharkey <jsharkey@android.com> Thu Jan 28 19:20:12 2016 -0700
tree 607cf7b6b4753e95b4ffa9711d2f7f517797cffd
parent a74cce60721d2d2de04778eabab31a7aef8117d4

Exposing file:// beyond your app is bad, m'kay?

For several releases now we've told developers that sharing raw files
between apps is a recipe for trouble.  There are at least three major
problems with sending raw files:

-- Apps sending generic intents can't know who is at the other end,
so they may not have access to shared storage locations.  This is
more likely now that runtime permissions require apps to explicitly
ask users for permission.

-- Apps making files in their private storage world-readable has been
deprecated for several releases, and now in N it's fully blocked.  If
we let these intents through, the receiving app would fail to open
the file, when the real blame rests on the sending app.

-- Devices with user profiles can't share raw files when using
cross-profile intent filters, since filesystem access is fully
locked down between users.

The time has finally come to communicate clearly that if you're
sharing content between apps, you need to use content:// Uris.  We
added the simple FileProvider several years ago to give apps a clean
way to migrate with minimal work on their part.

Bug: 26860922, 9069185
Change-Id: I075f627f6a0d6c7fca2c090ca133b9aae9801c64

core/java/android/content/Intent.java

diff --git a/core/java/android/content/Intent.java b/core/java/android/content/Intent.java
index 49b8363..ee469da 100644
--- a/core/java/android/content/Intent.java
+++ b/core/java/android/content/Intent.java
@@ -8912,23 +8912,46 @@
      *
      * @hide
      */
-    public void prepareToLeaveProcess() {
+    public void prepareToLeaveProcess(Context context) {
+        final boolean leavingPackage = (mComponent == null)
+                || !Objects.equals(mComponent.getPackageName(), context.getPackageName());
+        prepareToLeaveProcess(leavingPackage);
+    }
+
+    /**
+     * Prepare this {@link Intent} to leave an app process.
+     *
+     * @hide
+     */
+    public void prepareToLeaveProcess(boolean leavingPackage) {
         setAllowFds(false);
 
         if (mSelector != null) {
-            mSelector.prepareToLeaveProcess();
+            mSelector.prepareToLeaveProcess(leavingPackage);
         }
         if (mClipData != null) {
-            mClipData.prepareToLeaveProcess();
+            mClipData.prepareToLeaveProcess(leavingPackage);
         }
 
-        if (mData != null && StrictMode.vmFileUriExposureEnabled()) {
-            // There are several ACTION_MEDIA_* broadcasts that send file://
-            // Uris, so only check common actions.
-            if (ACTION_VIEW.equals(mAction) ||
-                    ACTION_EDIT.equals(mAction) ||
-                    ACTION_ATTACH_DATA.equals(mAction)) {
-                mData.checkFileUriExposed("Intent.getData()");
+        if (mData != null && StrictMode.vmFileUriExposureEnabled() && leavingPackage) {
+            switch (mAction) {
+                case ACTION_MEDIA_REMOVED:
+                case ACTION_MEDIA_UNMOUNTED:
+                case ACTION_MEDIA_CHECKING:
+                case ACTION_MEDIA_NOFS:
+                case ACTION_MEDIA_MOUNTED:
+                case ACTION_MEDIA_SHARED:
+                case ACTION_MEDIA_UNSHARED:
+                case ACTION_MEDIA_BAD_REMOVAL:
+                case ACTION_MEDIA_UNMOUNTABLE:
+                case ACTION_MEDIA_EJECT:
+                case ACTION_MEDIA_SCANNER_STARTED:
+                case ACTION_MEDIA_SCANNER_FINISHED:
+                case ACTION_MEDIA_SCANNER_SCAN_FILE:
+                    // Ignore legacy actions
+                    break;
+                default:
+                    mData.checkFileUriExposed("Intent.getData()");
             }
         }
     }