Browse files

Hide the content provider and enforce the calling identity.

Bug: 3215801
Change-Id: Iee444f04141c3f35127cfc264d418ce7d8f1c617
  • Loading branch information...
1 parent 242decf commit 4a52a6e550253c5e2648141fdec7918094a50dcc Patrick Scott committed Nov 22, 2010
Showing with 8 additions and 0 deletions.
  1. +1 −0 AndroidManifest.xml
  2. +7 −0 src/com/android/htmlviewer/FileContentProvider.java
View
1 AndroidManifest.xml
@@ -38,6 +38,7 @@
</activity>
<provider android:name="FileContentProvider"
+ android:exported="false"
android:authorities="com.android.htmlfileprovider"
android:syncable="false" android:multiprocess="false"
android:grantUriPermissions="true" />
View
7 src/com/android/htmlviewer/FileContentProvider.java
@@ -24,7 +24,9 @@
import android.content.ContentValues;
import android.database.Cursor;
import android.net.Uri;
+import android.os.Binder;
import android.os.ParcelFileDescriptor;
+import android.os.Process;
/**
* WebView does not support file: loading. This class wraps a file load
@@ -47,6 +49,11 @@ public String getType(Uri uri) {
@Override
public ParcelFileDescriptor openFile(Uri uri, String mode) throws FileNotFoundException {
+ // android:exported="false" is broken in older releases so we have to
+ // manually enforce the calling identity.
+ if (Process.myUid() != Binder.getCallingUid()) {
+ throw new SecurityException("Permission denied");
+ }
if (!"r".equals(mode)) {
throw new FileNotFoundException("Bad mode for " + uri + ": " + mode);
}

0 comments on commit 4a52a6e

Please sign in to comment.