From 80f6a985c3662bc65ffba83975ec23c1a93ed888 Mon Sep 17 00:00:00 2001 From: Seigo Nonaka Date: Thu, 22 Jun 2017 08:22:18 -0700 Subject: Stop loading other package's font by default. Since CONTEXT_RESTRICTED is not a default flag of createPackageContext, we can't rely on it for preventing unexpected font injections. To protect developers and existing apps from a risk of font injection, stop loading font from other package's resouce unless the developer explicitly set CONTEXT_IGNORE_SECURITY. This CL contains Iac2a6fb3d82ef23d5ca6ee33f4aaa9ed28455271 by manual merging to handle repository split. Bug: 62813533 Bug: 62879353 Test: Manually done Merged-In: I4442ddc48dadb5c968b444be86038b602074d301 Change-Id: I4442ddc48dadb5c968b444be86038b602074d301 --- core/java/android/app/ContextImpl.java | 8 ++++++++ core/java/android/content/Context.java | 6 ++++++ core/java/android/content/ContextWrapper.java | 6 ++++++ core/java/android/widget/TextView.java | 6 +++--- test-runner/src/android/test/mock/MockContext.java | 6 ++++++ .../src/com/android/layoutlib/bridge/android/BridgeContext.java | 5 +++++ 6 files changed, 34 insertions(+), 3 deletions(-) diff --git a/core/java/android/app/ContextImpl.java b/core/java/android/app/ContextImpl.java index 1b25e6571065..3ea0c83f2db6 100644 --- a/core/java/android/app/ContextImpl.java +++ b/core/java/android/app/ContextImpl.java @@ -2137,6 +2137,14 @@ class ContextImpl extends Context { return (mFlags & Context.CONTEXT_CREDENTIAL_PROTECTED_STORAGE) != 0; } + @Override + public boolean canLoadUnsafeResources() { + if (getPackageName().equals(getOpPackageName())) { + return true; + } + return (mFlags & Context.CONTEXT_IGNORE_SECURITY) != 0; + } + @Override public Display getDisplay() { if (mDisplay == null) { diff --git a/core/java/android/content/Context.java b/core/java/android/content/Context.java index 2303a3839789..0f94065c6985 100644 --- a/core/java/android/content/Context.java +++ b/core/java/android/content/Context.java @@ -4657,6 +4657,12 @@ public abstract class Context { @SystemApi public abstract boolean isCredentialProtectedStorage(); + /** + * Returns true if the context can load unsafe resources, e.g. fonts. + * @hide + */ + public abstract boolean canLoadUnsafeResources(); + /** * @hide */ diff --git a/core/java/android/content/ContextWrapper.java b/core/java/android/content/ContextWrapper.java index 3b27905d2c11..df59f0eba0a5 100644 --- a/core/java/android/content/ContextWrapper.java +++ b/core/java/android/content/ContextWrapper.java @@ -920,6 +920,12 @@ public class ContextWrapper extends Context { return mBase.isCredentialProtectedStorage(); } + /** {@hide} */ + @Override + public boolean canLoadUnsafeResources() { + return mBase.canLoadUnsafeResources(); + } + /** * @hide */ diff --git a/core/java/android/widget/TextView.java b/core/java/android/widget/TextView.java index 6b328ea01997..9a924890fcd7 100644 --- a/core/java/android/widget/TextView.java +++ b/core/java/android/widget/TextView.java @@ -913,7 +913,7 @@ public class TextView extends View implements ViewTreeObserver.OnPreDrawListener break; case com.android.internal.R.styleable.TextAppearance_fontFamily: - if (!context.isRestricted()) { + if (!context.isRestricted() && context.canLoadUnsafeResources()) { try { fontTypeface = appearance.getFont(attr); } catch (UnsupportedOperationException @@ -1233,7 +1233,7 @@ public class TextView extends View implements ViewTreeObserver.OnPreDrawListener break; case com.android.internal.R.styleable.TextView_fontFamily: - if (!context.isRestricted()) { + if (!context.isRestricted() && context.canLoadUnsafeResources()) { try { fontTypeface = a.getFont(attr); } catch (UnsupportedOperationException | Resources.NotFoundException e) { @@ -3417,7 +3417,7 @@ public class TextView extends View implements ViewTreeObserver.OnPreDrawListener Typeface fontTypeface = null; String fontFamily = null; - if (!context.isRestricted()) { + if (!context.isRestricted() && context.canLoadUnsafeResources()) { try { fontTypeface = ta.getFont(R.styleable.TextAppearance_fontFamily); } catch (UnsupportedOperationException | Resources.NotFoundException e) { diff --git a/test-runner/src/android/test/mock/MockContext.java b/test-runner/src/android/test/mock/MockContext.java index bfc2d728ad5c..24e7bff09794 100644 --- a/test-runner/src/android/test/mock/MockContext.java +++ b/test-runner/src/android/test/mock/MockContext.java @@ -808,6 +808,12 @@ public class MockContext extends Context { throw new UnsupportedOperationException(); } + /** {@hide} */ + @Override + public boolean canLoadUnsafeResources() { + throw new UnsupportedOperationException(); + } + /** {@hide} */ @Override public IBinder getActivityToken() { diff --git a/tools/layoutlib/bridge/src/com/android/layoutlib/bridge/android/BridgeContext.java b/tools/layoutlib/bridge/src/com/android/layoutlib/bridge/android/BridgeContext.java index 8bd924ea9cfb..1fc5d7256310 100644 --- a/tools/layoutlib/bridge/src/com/android/layoutlib/bridge/android/BridgeContext.java +++ b/tools/layoutlib/bridge/src/com/android/layoutlib/bridge/android/BridgeContext.java @@ -2008,6 +2008,11 @@ public class BridgeContext extends Context { return false; } + @Override + public boolean canLoadUnsafeResources() { + return false; + } + /** * The cached value depends on *
    -- cgit v1.2.3-59-g8ed1b