diff options
| author | Ajay Panicker <apanicke@google.com> | 2017-04-11 14:45:40 -0700 |
|---|---|---|
| committer | MSe <mse1969@posteo.de> | 2017-06-09 10:40:31 +0200 |
| commit | fc090ed406fe13ce9cb44985939abfe851106236 (patch) | |
| tree | 6598a7b60efdaf7661be4eba23b41801b900c82a | |
| parent | 7d99b2d1d73b0f9d501dc9c99e0139c65f3b2b8e (diff) | |
| download | android_packages_apps_Bluetooth-fc090ed406fe13ce9cb44985939abfe851106236.tar.gz android_packages_apps_Bluetooth-fc090ed406fe13ce9cb44985939abfe851106236.tar.bz2 android_packages_apps_Bluetooth-fc090ed406fe13ce9cb44985939abfe851106236.zip | |
Prevent OPP from opening files that aren't sent over Bluetooth
Before this patch an app could send an open intent to
BluetoothOppTransferService using a fake content provider to gain external
read and write access. We fix this by checking the Uri of the file before
opening it to see if it originated from the Bluetooth Share content provider.
We also stop graning write access to apps that we use to view the file.
Bug: 35385327
Test: PoC found in bug
AOSP-Change-Id: Iad85490a0306b3e70767285393b204be22b11511
(cherry picked from commit f20350af42cd5cce1a762ef587ee50fef696f0f0)
CVE-2017-0645
Change-Id: Ifab44ac73191fb8d9d9265390541ed32118f49df
| -rw-r--r-- | src/com/android/bluetooth/opp/BluetoothOppUtility.java | 20 |
1 files changed, 10 insertions, 10 deletions
diff --git a/src/com/android/bluetooth/opp/BluetoothOppUtility.java b/src/com/android/bluetooth/opp/BluetoothOppUtility.java index 71b9641c0..9ba8a5376 100644 --- a/src/com/android/bluetooth/opp/BluetoothOppUtility.java +++ b/src/com/android/bluetooth/opp/BluetoothOppUtility.java @@ -69,6 +69,10 @@ public class BluetoothOppUtility { private static final ConcurrentHashMap<Uri, BluetoothOppSendFileInfo> sSendFileMap = new ConcurrentHashMap<Uri, BluetoothOppSendFileInfo>(); + public static boolean isBluetoothShareUri(Uri uri) { + return uri.toString().startsWith(BluetoothShare.CONTENT_URI.toString()); + } + public static BluetoothOppTransferInfo queryRecord(Context context, Uri uri) { BluetoothAdapter adapter = BluetoothAdapter.getDefaultAdapter(); BluetoothOppTransferInfo info = new BluetoothOppTransferInfo(); @@ -190,6 +194,11 @@ public class BluetoothOppUtility { return; } + if (!isBluetoothShareUri(uri)) { + Log.e(TAG, "Trying to open a file that wasn't transfered over Bluetooth"); + return; + } + File f = new File(fileName); if (!f.exists()) { Intent in = new Intent(context, BluetoothOppBtErrorActivity.class); @@ -227,17 +236,8 @@ public class BluetoothOppUtility { .queryIntentActivities(activityIntent, PackageManager.MATCH_DEFAULT_ONLY); - // Grant permissions for any app that can handle a file to access it - for (ResolveInfo resolveInfo : resInfoList) { - String packageName = resolveInfo.activityInfo.packageName; - context.grantUriPermission(packageName, path, - Intent.FLAG_GRANT_WRITE_URI_PERMISSION | - Intent.FLAG_GRANT_READ_URI_PERMISSION); - } - activityIntent.setFlags(Intent.FLAG_ACTIVITY_NEW_TASK); - activityIntent.setFlags(Intent.FLAG_GRANT_READ_URI_PERMISSION); - activityIntent.setFlags(Intent.FLAG_GRANT_WRITE_URI_PERMISSION); + activityIntent.addFlags(Intent.FLAG_GRANT_READ_URI_PERMISSION); try { if (V) Log.d(TAG, "ACTION_VIEW intent sent out: " + path + " / " + mimetype); |