DO NOT MERGE Fix security vulnerabilities in permission of deleting MMS/SMS

This CL adds permission check to avoid unauthorized deletion of any MMS/SMS
messages in BluetoothMapContentObserver.actionMessageSentDisconnected
function.

Bug: 22343270
Change-Id: I30254036309733be4d54db17a8ef17a571cd1c5a

1 files changed, 14 insertions, 80 deletions

diff --git a/src/com/android/bluetooth/map/BluetoothMapContentObserver.java b/src/com/android/bluetooth/map/BluetoothMapContentObserver.java
index dd14c82be..dc85b6c52 100644
--- a/src/com/android/bluetooth/map/BluetoothMapContentObserver.java
+++ b/src/com/android/bluetooth/map/BluetoothMapContentObserver.java
@@ -34,6 +34,7 @@ import javax.obex.ResponseCodes;
 
 import org.xmlpull.v1.XmlSerializer;
 
+import android.Manifest;
 import android.app.Activity;
 import android.app.PendingIntent;
 import android.content.BroadcastReceiver;
@@ -45,13 +46,16 @@ import android.content.Context;
 import android.content.Intent;
 import android.content.IntentFilter;
 import android.content.IntentFilter.MalformedMimeTypeException;
+import android.content.pm.PackageManager;
 import android.database.ContentObserver;
 import android.database.Cursor;
 import android.net.Uri;
 import android.os.Build;
+import android.os.Binder;
 import android.os.Handler;
 import android.os.Message;
 import android.os.ParcelFileDescriptor;
+import android.os.Process;
 import android.os.RemoteException;
 import android.provider.BaseColumns;
 import com.android.bluetooth.mapapi.BluetoothMapContract;
@@ -1704,9 +1708,6 @@ public class BluetoothMapContentObserver {
 
             IntentFilter intentFilter = new IntentFilter();
             intentFilter.addAction(ACTION_MESSAGE_DELIVERY);
-            /* The reception of ACTION_MESSAGE_SENT have been moved to the MAP
-             * service, to be able to handle message sent events after a disconnect. */
-            //intentFilter.addAction(ACTION_MESSAGE_SENT);
             try{
                 intentFilter.addDataType("message/*");
             } catch (MalformedMimeTypeException e) {
@@ -1737,20 +1738,7 @@ public class BluetoothMapContentObserver {
                 return;
             }
 
-            if (action.equals(ACTION_MESSAGE_SENT)) {
-                int result = intent.getIntExtra(EXTRA_MESSAGE_SENT_RESULT, Activity.RESULT_CANCELED);
-                msgInfo.partsSent++;
-                if(result != Activity.RESULT_OK) {
-                    // If just one of the parts in the message fails, we need to send the entire message again
-                    msgInfo.failedSent = true;
-                }
-                if(D) Log.d(TAG, "onReceive: msgInfo.partsSent = " + msgInfo.partsSent
-                        + ", msgInfo.parts = " + msgInfo.parts + " result = " + result);
-
-                if (msgInfo.partsSent == msgInfo.parts) {
-                    actionMessageSent(context, intent, msgInfo);
-                }
-            } else if (action.equals(ACTION_MESSAGE_DELIVERY)) {
+            if (action.equals(ACTION_MESSAGE_DELIVERY)) {
                 long timestamp = intent.getLongExtra(EXTRA_MESSAGE_SENT_TIMESTAMP, 0);
                 int status = -1;
                 if(msgInfo.timestamp == timestamp) {
@@ -1776,67 +1764,6 @@ public class BluetoothMapContentObserver {
             }
         }
 
-        private void actionMessageSent(Context context, Intent intent, PushMsgInfo msgInfo) {
-            /* As the MESSAGE_SENT intent is forwarded from the MAP service, we use the intent
-             * to carry the result, as getResult() will not return the correct value.
-             */
-            boolean delete = false;
-
-            if(D) Log.d(TAG,"actionMessageSent(): msgInfo.failedSent = " + msgInfo.failedSent);
-
-            msgInfo.sendInProgress = false;
-
-            if (msgInfo.failedSent == false) {
-                if(D) Log.d(TAG, "actionMessageSent: result OK");
-                if (msgInfo.transparent == 0) {
-                    if (!Sms.moveMessageToFolder(context, msgInfo.uri,
-                            Sms.MESSAGE_TYPE_SENT, 0)) {
-                        Log.w(TAG, "Failed to move " + msgInfo.uri + " to SENT");
-                    }
-                } else {
-                    delete = true;
-                }
-
-                Event evt = new Event(EVENT_TYPE_SENDING_SUCCESS, msgInfo.id,
-                    folderSms[Sms.MESSAGE_TYPE_SENT], null, mSmsType);
-                sendEvent(evt);
-
-            } else {
-                if (msgInfo.retry == 1) {
-                    /* Notify failure, but keep message in outbox for resending */
-                    msgInfo.resend = true;
-                    msgInfo.partsSent = 0; // Reset counter for the retry
-                    msgInfo.failedSent = false;
-                    Event evt = new Event(EVENT_TYPE_SENDING_FAILURE, msgInfo.id,
-                        folderSms[Sms.MESSAGE_TYPE_OUTBOX], null, mSmsType);
-                    sendEvent(evt);
-                } else {
-                    if (msgInfo.transparent == 0) {
-                        if (!Sms.moveMessageToFolder(context, msgInfo.uri,
-                                Sms.MESSAGE_TYPE_FAILED, 0)) {
-                            Log.w(TAG, "Failed to move " + msgInfo.uri + " to FAILED");
-                        }
-                    } else {
-                        delete = true;
-                    }
-
-                    Event evt = new Event(EVENT_TYPE_SENDING_FAILURE, msgInfo.id,
-                        folderSms[Sms.MESSAGE_TYPE_FAILED], null, mSmsType);
-                    sendEvent(evt);
-                }
-            }
-
-            if (delete == true) {
-                /* Delete from Observer message list to avoid delete notifications */
-                synchronized(mMsgListSms) {
-                    mMsgListSms.remove(msgInfo.id);
-                }
-
-                /* Delete from DB */
-                mResolver.delete(msgInfo.uri, null, null);
-            }
-        }
-
         private void actionMessageDelivery(Context context, Intent intent, PushMsgInfo msgInfo) {
             Uri messageUri = intent.getData();
             msgInfo.sendInProgress = false;
@@ -1878,6 +1805,13 @@ public class BluetoothMapContentObserver {
     }
 
     static public void actionMessageSentDisconnected(Context context, Intent intent, int result) {
+        /* Check permission for message deletion. */
+        if (context.checkCallingOrSelfPermission(android.Manifest.permission.WRITE_SMS)
+              != PackageManager.PERMISSION_GRANTED) {
+            Log.w(TAG, "actionMessageSentDisconnected: Not allowed to delete SMS/MMS messages");
+            return;
+        }
+
         boolean delete = false;
         //int retry = intent.getIntExtra(EXTRA_MESSAGE_SENT_RETRY, 0);
         int transparent = intent.getIntExtra(EXTRA_MESSAGE_SENT_TRANSPARENT, 0);
@@ -1914,10 +1848,10 @@ public class BluetoothMapContentObserver {
             }
         }
 
-        if (delete == true) {
+        if (delete) {
             /* Delete from DB */
             ContentResolver resolver = context.getContentResolver();
-            if(resolver != null) {
+            if (resolver != null) {
                 resolver.delete(uri, null, null);
             } else {
                 Log.w(TAG, "Unable to get resolver");