diff options
-rw-r--r-- | AndroidManifest.xml | 1 | ||||
-rw-r--r-- | src/com/android/htmlviewer/FileContentProvider.java | 7 |
2 files changed, 8 insertions, 0 deletions
diff --git a/AndroidManifest.xml b/AndroidManifest.xml index ed0570b..e7398ec 100644 --- a/AndroidManifest.xml +++ b/AndroidManifest.xml @@ -38,6 +38,7 @@ </activity> <provider android:name="FileContentProvider" + android:exported="false" android:authorities="com.android.htmlfileprovider" android:syncable="false" android:multiprocess="false" android:grantUriPermissions="true" /> diff --git a/src/com/android/htmlviewer/FileContentProvider.java b/src/com/android/htmlviewer/FileContentProvider.java index 1344819..2583b70 100644 --- a/src/com/android/htmlviewer/FileContentProvider.java +++ b/src/com/android/htmlviewer/FileContentProvider.java @@ -24,7 +24,9 @@ import android.content.ContentProvider; import android.content.ContentValues; import android.database.Cursor; import android.net.Uri; +import android.os.Binder; import android.os.ParcelFileDescriptor; +import android.os.Process; /** * WebView does not support file: loading. This class wraps a file load @@ -47,6 +49,11 @@ public class FileContentProvider extends ContentProvider { @Override public ParcelFileDescriptor openFile(Uri uri, String mode) throws FileNotFoundException { + // android:exported="false" is broken in older releases so we have to + // manually enforce the calling identity. + if (Process.myUid() != Binder.getCallingUid()) { + throw new SecurityException("Permission denied"); + } if (!"r".equals(mode)) { throw new FileNotFoundException("Bad mode for " + uri + ": " + mode); } |