Merge "Content Providers: change default for android:exported" into jb-mr1-dev
diff --git a/core/java/android/content/pm/PackageParser.java b/core/java/android/content/pm/PackageParser.java
index faeb082..05bb8fc 100644
--- a/core/java/android/content/pm/PackageParser.java
+++ b/core/java/android/content/pm/PackageParser.java
@@ -2443,8 +2443,28 @@
return null;
}
+ boolean providerExportedDefault = false;
+
+ if (owner.applicationInfo.targetSdkVersion < Build.VERSION_CODES.JELLY_BEAN_MR1) {
+ // For compatibility, applications targeting API level 16 or lower
+ // should have their content providers exported by default, unless they
+ // specify otherwise.
+ providerExportedDefault = true;
+ }
+
+ if (((owner.applicationInfo.flags & ApplicationInfo.FLAG_SYSTEM) != 0)
+ && (owner.applicationInfo.targetSdkVersion == Build.VERSION_CODES.JELLY_BEAN)) {
+ // STOPSHIP: REMOVE THIS IF BLOCK
+ // To expose more bugs, pre-installed system apps targeting API level 16
+ // should not have their content providers exported by default.
+ // This is only a short term check, and should be removed when the
+ // default SDK version changes to 17.
+ providerExportedDefault = false;
+ }
+
p.info.exported = sa.getBoolean(
- com.android.internal.R.styleable.AndroidManifestProvider_exported, true);
+ com.android.internal.R.styleable.AndroidManifestProvider_exported,
+ providerExportedDefault);
String cpname = sa.getNonConfigurationString(
com.android.internal.R.styleable.AndroidManifestProvider_authorities, 0);
@@ -2516,7 +2536,7 @@
}
if (cpname == null) {
- outError[0] = "<provider> does not incude authorities attribute";
+ outError[0] = "<provider> does not include authorities attribute";
return null;
}
p.info.authority = cpname.intern();
diff --git a/core/java/android/os/Build.java b/core/java/android/os/Build.java
index 7cf869c..dd5d7a6 100644
--- a/core/java/android/os/Build.java
+++ b/core/java/android/os/Build.java
@@ -414,6 +414,15 @@
/**
* Moar jelly beans!
+ *
+ * <p>Applications targeting this or a later release will get these
+ * new changes in behavior:</p>
+ * <ul>
+ * <li>Content Providers: The default value of {@code android:exported} is now
+ * {@code false}. See
+ * <a href="{docRoot}guide/topics/manifest/provider-element.html#exported">
+ * the android:exported section</a> in the provider documentation for more details.</li>
+ * </ul>
*/
public static final int JELLY_BEAN_MR1 = 17;
}
diff --git a/docs/html/guide/topics/manifest/provider-element.jd b/docs/html/guide/topics/manifest/provider-element.jd
index 4558800..7b4ca8f 100644
--- a/docs/html/guide/topics/manifest/provider-element.jd
+++ b/docs/html/guide/topics/manifest/provider-element.jd
@@ -97,7 +97,8 @@
applications — "{@code true}" if it can be, and "{@code false}" if not.
If "{@code false}", the provider is available only to components of the
same application or applications with the same user ID. The default value
-is "{@code true}".
+is "{@code true}" for applications which target API level 16 (Jelly Bean)
+and below, and "{@code false}" otherwise.
<p>
You can export a content provider but still limit access to it with the