summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAjay Panicker <apanicke@google.com>2017-04-11 21:45:40 (GMT)
committerMSe <mse1969@posteo.de>2017-06-09 08:40:31 (GMT)
commitfc090ed406fe13ce9cb44985939abfe851106236 (patch)
tree6598a7b60efdaf7661be4eba23b41801b900c82a
parent7d99b2d1d73b0f9d501dc9c99e0139c65f3b2b8e (diff)
downloadandroid_packages_apps_Bluetooth-fc090ed406fe13ce9cb44985939abfe851106236.zip
android_packages_apps_Bluetooth-fc090ed406fe13ce9cb44985939abfe851106236.tar.gz
android_packages_apps_Bluetooth-fc090ed406fe13ce9cb44985939abfe851106236.tar.bz2
Prevent OPP from opening files that aren't sent over Bluetooth
Before this patch an app could send an open intent to BluetoothOppTransferService using a fake content provider to gain external read and write access. We fix this by checking the Uri of the file before opening it to see if it originated from the Bluetooth Share content provider. We also stop graning write access to apps that we use to view the file. Bug: 35385327 Test: PoC found in bug AOSP-Change-Id: Iad85490a0306b3e70767285393b204be22b11511 (cherry picked from commit f20350af42cd5cce1a762ef587ee50fef696f0f0) CVE-2017-0645 Change-Id: Ifab44ac73191fb8d9d9265390541ed32118f49df
-rw-r--r--src/com/android/bluetooth/opp/BluetoothOppUtility.java20
1 files changed, 10 insertions, 10 deletions
diff --git a/src/com/android/bluetooth/opp/BluetoothOppUtility.java b/src/com/android/bluetooth/opp/BluetoothOppUtility.java
index 71b9641..9ba8a53 100644
--- a/src/com/android/bluetooth/opp/BluetoothOppUtility.java
+++ b/src/com/android/bluetooth/opp/BluetoothOppUtility.java
@@ -69,6 +69,10 @@ public class BluetoothOppUtility {
private static final ConcurrentHashMap<Uri, BluetoothOppSendFileInfo> sSendFileMap
= new ConcurrentHashMap<Uri, BluetoothOppSendFileInfo>();
+ public static boolean isBluetoothShareUri(Uri uri) {
+ return uri.toString().startsWith(BluetoothShare.CONTENT_URI.toString());
+ }
+
public static BluetoothOppTransferInfo queryRecord(Context context, Uri uri) {
BluetoothAdapter adapter = BluetoothAdapter.getDefaultAdapter();
BluetoothOppTransferInfo info = new BluetoothOppTransferInfo();
@@ -190,6 +194,11 @@ public class BluetoothOppUtility {
return;
}
+ if (!isBluetoothShareUri(uri)) {
+ Log.e(TAG, "Trying to open a file that wasn't transfered over Bluetooth");
+ return;
+ }
+
File f = new File(fileName);
if (!f.exists()) {
Intent in = new Intent(context, BluetoothOppBtErrorActivity.class);
@@ -227,17 +236,8 @@ public class BluetoothOppUtility {
.queryIntentActivities(activityIntent,
PackageManager.MATCH_DEFAULT_ONLY);
- // Grant permissions for any app that can handle a file to access it
- for (ResolveInfo resolveInfo : resInfoList) {
- String packageName = resolveInfo.activityInfo.packageName;
- context.grantUriPermission(packageName, path,
- Intent.FLAG_GRANT_WRITE_URI_PERMISSION |
- Intent.FLAG_GRANT_READ_URI_PERMISSION);
- }
-
activityIntent.setFlags(Intent.FLAG_ACTIVITY_NEW_TASK);
- activityIntent.setFlags(Intent.FLAG_GRANT_READ_URI_PERMISSION);
- activityIntent.setFlags(Intent.FLAG_GRANT_WRITE_URI_PERMISSION);
+ activityIntent.addFlags(Intent.FLAG_GRANT_READ_URI_PERMISSION);
try {
if (V) Log.d(TAG, "ACTION_VIEW intent sent out: " + path + " / " + mimetype);