diff options
| author | Peter Qiu <zqiu@google.com> | 2016-12-12 13:50:01 -0800 |
|---|---|---|
| committer | Sean McCreary <mccreary@mcwest.org> | 2017-03-22 12:48:06 -0600 |
| commit | 3fc44f931a8de96138ebfdc0d80238c30adc2288 (patch) | |
| tree | a07aa15cdcd03f1581c79cb85e7710ee19943d3e | |
| parent | fe552bc9a3ef68dc0efddd32e9a6f327d97f7ccd (diff) | |
| download | android_packages_apps_CertInstaller-3fc44f931a8de96138ebfdc0d80238c30adc2288.tar.gz android_packages_apps_CertInstaller-3fc44f931a8de96138ebfdc0d80238c30adc2288.tar.bz2 android_packages_apps_CertInstaller-3fc44f931a8de96138ebfdc0d80238c30adc2288.zip | |
WifiInstaller: remove the installation file
Previously, the installation file deletion was done by the parsing
function WifiManager#buildWifiConfig. This results in a security
vulnerability with the parsing function since the caller can use
that function to delete arbitrary files.
The underlying API used by WifiManager#buildWifiConfig is updated
to not perform the file deletion. So as the caller of that API,
we are responsible for deleting the installation file.
Bug: 33178389
Test: Verify passpoint configuration installation works using shamu
CVE-2017-0490
Change-Id: I3b88347c86dcb213033b5aa76e7e19a5524bee05
(cherry picked from commit bfd17d2ab2be44f9827bcbb4d57833698813f79b)
(cherry picked from commit 1166ca8adba9b49c9185dad11b28b02e72124d95)
| -rw-r--r-- | src/com/android/certinstaller/WiFiInstaller.java | 17 |
1 files changed, 17 insertions, 0 deletions
diff --git a/src/com/android/certinstaller/WiFiInstaller.java b/src/com/android/certinstaller/WiFiInstaller.java index 8e54ebd..b2a5b56 100644 --- a/src/com/android/certinstaller/WiFiInstaller.java +++ b/src/com/android/certinstaller/WiFiInstaller.java @@ -7,6 +7,7 @@ import android.content.Context; import android.content.DialogInterface; import android.content.Intent; import android.content.res.Resources; +import android.net.Uri; import android.net.wifi.WifiConfiguration; import android.net.wifi.WifiEnterpriseConfig; import android.net.wifi.WifiManager; @@ -19,6 +20,7 @@ import android.widget.Button; import android.widget.TextView; import android.widget.Toast; import android.os.AsyncTask; +import android.provider.DocumentsContract; import java.security.PrivateKey; import java.security.interfaces.RSAPrivateKey; @@ -53,6 +55,7 @@ public class WiFiInstaller extends Activity { mWifiManager = (WifiManager) getSystemService(Context.WIFI_SERVICE); mWifiConfiguration = mWifiManager.buildWifiConfig(uriString, mimeType, data); + dropFile(Uri.parse(uriString), getApplicationContext()); if (mWifiConfiguration != null) { WifiEnterpriseConfig enterpriseConfig = mWifiConfiguration.enterpriseConfig; @@ -205,4 +208,18 @@ public class WiFiInstaller extends Activity { } builder.create().show(); } + + /** + * Delete the file specified by the given URI. + * + * @param uri The URI of the file + * @param context The context of the current application + */ + private static void dropFile(Uri uri, Context context) { + if (DocumentsContract.isDocumentUri(context, uri)) { + DocumentsContract.deleteDocument(context.getContentResolver(), uri); + } else { + context.getContentResolver().delete(uri, null, null); + } + } } |