Content Providers: change default for android:exported

nickkral · nickkral · commit f097b16cfddc · 2012-08-07T11:34:00.000-07:00
Change the default value of android:exported to true
for applications which target a newer API version.
This will help stop inadvertent content provider
exposure to untrusted apps.

Bug: 3306452

Change-Id: I8cb34e823aef9551319951ce92217345c54cee63
diff --git a/core/java/android/content/pm/PackageParser.java b/core/java/android/content/pm/PackageParser.java
@@ -2428,8 +2428,28 @@ private Provider parseProvider(Package owner, Resources res,
             return null;
         }
 
+        boolean providerExportedDefault = false;
+
+        if (owner.applicationInfo.targetSdkVersion < Build.VERSION_CODES.JELLY_BEAN_MR1) {
+            // For compatibility, applications targeting API level 16 or lower
+            // should have their content providers exported by default, unless they
+            // specify otherwise.
+            providerExportedDefault = true;
+        }
+
+        if (((owner.applicationInfo.flags & ApplicationInfo.FLAG_SYSTEM) != 0)
+            && (owner.applicationInfo.targetSdkVersion == Build.VERSION_CODES.JELLY_BEAN)) {
+            // STOPSHIP: REMOVE THIS IF BLOCK
+            // To expose more bugs, pre-installed system apps targeting API level 16
+            // should not have their content providers exported by default.
+            // This is only a short term check, and should be removed when the
+            // default SDK version changes to 17.
+            providerExportedDefault = false;
+        }
+
         p.info.exported = sa.getBoolean(
-                com.android.internal.R.styleable.AndroidManifestProvider_exported, true);
+                com.android.internal.R.styleable.AndroidManifestProvider_exported,
+                providerExportedDefault);
 
         String cpname = sa.getNonConfigurationString(
                 com.android.internal.R.styleable.AndroidManifestProvider_authorities, 0);
@@ -2487,7 +2507,7 @@ private Provider parseProvider(Package owner, Resources res,
         }
         
         if (cpname == null) {
-            outError[0] = "<provider> does not incude authorities attribute";
+            outError[0] = "<provider> does not include authorities attribute";
             return null;
         }
         p.info.authority = cpname.intern();
diff --git a/core/java/android/os/Build.java b/core/java/android/os/Build.java
@@ -414,6 +414,15 @@ public static class VERSION_CODES {
 
         /**
          * Moar jelly beans!
+         *
+         * <p>Applications targeting this or a later release will get these
+         * new changes in behavior:</p>
+         * <ul>
+         * <li>Content Providers: The default value of {@code android:exported} is now
+         * {@code false}. See
+         * <a href="{docRoot}guide/topics/manifest/provider-element.html#exported">
+         * the android:exported section</a> in the provider documentation for more details.</li>
+         * </ul>
          */
         public static final int JELLY_BEAN_MR1 = 17;
     }
diff --git a/docs/html/guide/topics/manifest/provider-element.jd b/docs/html/guide/topics/manifest/provider-element.jd
@@ -97,7 +97,8 @@ are by default) for the content provider to be enabled.  If either is
 applications &mdash; "{@code true}" if it can be, and "{@code false}" if not.  
 If "{@code false}", the provider is available only to components of the 
 same application or applications with the same user ID.  The default value
-is "{@code true}".
+is "{@code true}" for applications which target API level 16 (Jelly Bean)
+and below, and "{@code false}" otherwise.
 
 <p>
 You can export a content provider but still limit access to it with the
