Prevent OPP from opening files that aren't sent over Bluetooth

Before this patch an app could send an open intent to
BluetoothOppTransferService using a fake content provider to gain external
read and write access. We fix this by checking the Uri of the file before
opening it to see if it originated from the Bluetooth Share content provider.
We also stop graning write access to apps that we use to view the file.

Bug: 35385327
Test: PoC found in bug
Change-Id: Iad85490a0306b3e70767285393b204be22b11511
(cherry picked from commit f20350af42cd5cce1a762ef587ee50fef696f0f0)
diff --git a/src/com/android/bluetooth/opp/BluetoothOppUtility.java b/src/com/android/bluetooth/opp/BluetoothOppUtility.java
index 6b94ab5..cbbfa17 100644
--- a/src/com/android/bluetooth/opp/BluetoothOppUtility.java
+++ b/src/com/android/bluetooth/opp/BluetoothOppUtility.java
@@ -68,6 +68,10 @@
     private static final ConcurrentHashMap<Uri, BluetoothOppSendFileInfo> sSendFileMap
             = new ConcurrentHashMap<Uri, BluetoothOppSendFileInfo>();
 
+    public static boolean isBluetoothShareUri(Uri uri) {
+        return uri.toString().startsWith(BluetoothShare.CONTENT_URI.toString());
+    }
+
     public static BluetoothOppTransferInfo queryRecord(Context context, Uri uri) {
         BluetoothOppTransferInfo info = new BluetoothOppTransferInfo();
         Cursor cursor = context.getContentResolver().query(uri, null, null, null, null);
@@ -178,6 +182,11 @@
             return;
         }
 
+        if (!isBluetoothShareUri(uri)) {
+            Log.e(TAG, "Trying to open a file that wasn't transfered over Bluetooth");
+            return;
+        }
+
         File f = new File(fileName);
         if (!f.exists()) {
             Intent in = new Intent(context, BluetoothOppBtErrorActivity.class);
@@ -208,17 +217,8 @@
                 .queryIntentActivities(activityIntent,
                         PackageManager.MATCH_DEFAULT_ONLY);
 
-            // Grant permissions for any app that can handle a file to access it
-            for (ResolveInfo resolveInfo : resInfoList) {
-                String packageName = resolveInfo.activityInfo.packageName;
-                context.grantUriPermission(packageName, path,
-                        Intent.FLAG_GRANT_WRITE_URI_PERMISSION |
-                        Intent.FLAG_GRANT_READ_URI_PERMISSION);
-            }
-
             activityIntent.setFlags(Intent.FLAG_ACTIVITY_NEW_TASK);
-            activityIntent.setFlags(Intent.FLAG_GRANT_READ_URI_PERMISSION);
-            activityIntent.setFlags(Intent.FLAG_GRANT_WRITE_URI_PERMISSION);
+            activityIntent.addFlags(Intent.FLAG_GRANT_READ_URI_PERMISSION);
 
             try {
                 if (V) Log.d(TAG, "ACTION_VIEW intent sent out: " + path + " / " + mimetype);