aboutsummaryrefslogtreecommitdiffstats
path: root/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/remote/KeychainExternalProvider.java
diff options
context:
space:
mode:
Diffstat (limited to 'OpenKeychain/src/main/java/org/sufficientlysecure/keychain/remote/KeychainExternalProvider.java')
-rw-r--r--OpenKeychain/src/main/java/org/sufficientlysecure/keychain/remote/KeychainExternalProvider.java32
1 files changed, 25 insertions, 7 deletions
diff --git a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/remote/KeychainExternalProvider.java b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/remote/KeychainExternalProvider.java
index 7eb5d558f..455857f00 100644
--- a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/remote/KeychainExternalProvider.java
+++ b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/remote/KeychainExternalProvider.java
@@ -24,12 +24,14 @@ import java.util.HashMap;
import android.content.ContentProvider;
import android.content.ContentValues;
+import android.content.Context;
import android.content.UriMatcher;
import android.database.Cursor;
import android.database.DatabaseUtils;
import android.database.sqlite.SQLiteDatabase;
import android.database.sqlite.SQLiteQueryBuilder;
import android.net.Uri;
+import android.os.Binder;
import android.support.annotation.NonNull;
import android.text.TextUtils;
@@ -206,16 +208,13 @@ public class KeychainExternalProvider extends ContentProvider implements SimpleC
break;
}
- case API_APPS: {
- qb.setTables(Tables.API_APPS);
-
- break;
- }
-
case API_APPS_BY_PACKAGE_NAME: {
+ String requestedPackageName = uri.getLastPathSegment();
+ checkIfPackageBelongsToCaller(getContext(), requestedPackageName);
+
qb.setTables(Tables.API_APPS);
qb.appendWhere(ApiApps.PACKAGE_NAME + " = ");
- qb.appendWhereEscapeString(uri.getLastPathSegment());
+ qb.appendWhereEscapeString(requestedPackageName);
break;
}
@@ -248,6 +247,25 @@ public class KeychainExternalProvider extends ContentProvider implements SimpleC
return cursor;
}
+ private void checkIfPackageBelongsToCaller(Context context, String requestedPackageName) {
+ int callerUid = Binder.getCallingUid();
+ String[] callerPackageNames = context.getPackageManager().getPackagesForUid(callerUid);
+ if (callerPackageNames == null) {
+ throw new IllegalStateException("Failed to retrieve caller package name, this is an error!");
+ }
+
+ boolean packageBelongsToCaller = false;
+ for (String p : callerPackageNames) {
+ if (p.equals(requestedPackageName)) {
+ packageBelongsToCaller = true;
+ break;
+ }
+ }
+ if (!packageBelongsToCaller) {
+ throw new SecurityException("ExternalProvider may only check status of caller package!");
+ }
+ }
+
@Override
public Uri insert(@NonNull Uri uri, ContentValues values) {
throw new UnsupportedOperationException();
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-08 22:32:03 +0000