Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / frameworks / base / 3933a6e0c358238302e07bc8782d65f672b88e7b^! / . / services / core / java / com / android / server / InputMethodManagerService.java
commit3933a6e0c358238302e07bc8782d65f672b88e7b[log] [tgz]
authorYohei Yukawa <yukawa@google.com>Thu Nov 10 00:47:48 2016 -0800
committerYohei Yukawa <yukawa@google.com>Fri Nov 11 03:39:25 2016 +0000
tree768f070c503c8d995fb15ccd0bafa9c25b42830f
parent16e67edb366ad9a65d67b473ecc52a2d9e22f060 [diff] [blame]
Support content URIs w/ userId in IC#commitContent

With this CL, one can specify a content URI with an embedded user ID to
InputContentInfo, like such a URI is supported in
Context#grantUriPermission().

Note that such a scenario is actually possible when 1) an application
running as User X sets a content URI to the system clipboard then 2) the
IME runing as User Y who share the clipboard with User X obtains the
content URI from the system and tries to create a new instance of
InputContentInfo.

Bug: 32427307
Bug: 32778718
Test: 'adb shell dumpsys activity permissions' with a custom IME that
      instantiates InputContentInfo from the content URI obtained from
      the clipboard.
Change-Id: I7918c0a379b8f3e7e64b106447b42447876f9057

diff --git a/services/core/java/com/android/server/InputMethodManagerService.java b/services/core/java/com/android/server/InputMethodManagerService.java
index 2bf5866..d1f07a5 100644
--- a/services/core/java/com/android/server/InputMethodManagerService.java
+++ b/services/core/java/com/android/server/InputMethodManagerService.java

@@ -60,6 +60,7 @@
 import android.app.PendingIntent;
 import android.content.BroadcastReceiver;
 import android.content.ComponentName;
+import android.content.ContentProvider;
 import android.content.ContentResolver;
 import android.content.Context;
 import android.content.DialogInterface;
@@ -3969,10 +3970,22 @@
                     + mCurAttribute.packageName + " packageName=" + packageName);
                 return null;
             }
+            // This user ID can never bee spoofed.
             final int imeUserId = UserHandle.getUserId(uid);
+            // This user ID can never bee spoofed.
             final int appUserId = UserHandle.getUserId(mCurClient.uid);
-            return new InputContentUriTokenHandler(contentUri, uid, packageName, imeUserId,
-                    appUserId);
+            // This user ID may be invalid if "contentUri" embedded an invalid user ID.
+            final int contentUriOwnerUserId = ContentProvider.getUserIdFromUri(contentUri,
+                    imeUserId);
+            final Uri contentUriWithoutUserId = ContentProvider.getUriWithoutUserId(contentUri);
+            // Note: InputContentUriTokenHandler.take() checks whether the IME (specified by "uid")
+            // actually has the right to grant a read permission for "contentUriWithoutUserId" that
+            // is claimed to belong to "contentUriOwnerUserId".  For example, specifying random
+            // content URI and/or contentUriOwnerUserId just results in a SecurityException thrown
+            // from InputContentUriTokenHandler.take() and can never be allowed beyond what is
+            // actually allowed to "uid", which is guaranteed to be the IME's one.
+            return new InputContentUriTokenHandler(contentUriWithoutUserId, uid,
+                    packageName, contentUriOwnerUserId, appUserId);
         }
     }