summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRohan Shah <shahrk@google.com>2016-08-17 11:23:26 -0700
committergitbuildkicker <android-build@google.com>2016-08-25 21:56:27 -0700
commit9046b8480525382ca99d00b737d890977ac0d2f9 (patch)
tree2cb24339bd8414d5662606bfa9b78edcd195b029
parentcb2dfe43f25cb0c32cc73aa4569c0a5186a4ef43 (diff)
downloadandroid_packages_apps_Email-9046b8480525382ca99d00b737d890977ac0d2f9.tar.gz
android_packages_apps_Email-9046b8480525382ca99d00b737d890977ac0d2f9.tar.bz2
android_packages_apps_Email-9046b8480525382ca99d00b737d890977ac0d2f9.zip
Limit account id and id to longs
The security issue occurs because id is allowed to be an arbitrary path instead of being limited to what it is -- a long. Both id and account id are now parsed into longs (and if either fails, an error will be logged and null will be returned). Tested/verified error is logged using the reported attack. BUG=30745403 Change-Id: Ia21418545bbaeb96fb5ab6c3f4e71858e57b8684 (cherry picked from commit 9794d7e8216138adf143a3b6faf3d5683316a662)
-rw-r--r--provider_src/com/android/email/provider/AttachmentProvider.java14
1 files changed, 9 insertions, 5 deletions
diff --git a/provider_src/com/android/email/provider/AttachmentProvider.java b/provider_src/com/android/email/provider/AttachmentProvider.java
index c64fb4e4c..0abed9712 100644
--- a/provider_src/com/android/email/provider/AttachmentProvider.java
+++ b/provider_src/com/android/email/provider/AttachmentProvider.java
@@ -166,8 +166,8 @@ public class AttachmentProvider extends ContentProvider {
long callingId = Binder.clearCallingIdentity();
try {
List<String> segments = uri.getPathSegments();
- String accountId = segments.get(0);
- String id = segments.get(1);
+ final long accountId = Long.parseLong(segments.get(0));
+ final long id = Long.parseLong(segments.get(1));
String format = segments.get(2);
if (AttachmentUtilities.FORMAT_THUMBNAIL.equals(format)) {
int width = Integer.parseInt(segments.get(3));
@@ -176,8 +176,7 @@ public class AttachmentProvider extends ContentProvider {
File dir = getContext().getCacheDir();
File file = new File(dir, filename);
if (!file.exists()) {
- Uri attachmentUri = AttachmentUtilities.
- getAttachmentUri(Long.parseLong(accountId), Long.parseLong(id));
+ Uri attachmentUri = AttachmentUtilities.getAttachmentUri(accountId, id);
Cursor c = query(attachmentUri,
new String[] { Columns.DATA }, null, null, null);
if (c != null) {
@@ -218,9 +217,14 @@ public class AttachmentProvider extends ContentProvider {
}
else {
return ParcelFileDescriptor.open(
- new File(getContext().getDatabasePath(accountId + ".db_att"), id),
+ new File(getContext().getDatabasePath(accountId + ".db_att"),
+ String.valueOf(id)),
ParcelFileDescriptor.MODE_READ_ONLY);
}
+ } catch (NumberFormatException e) {
+ LogUtils.e(Logging.LOG_TAG,
+ "AttachmentProvider.openFile: Failed to open as id is not a long");
+ return null;
} finally {
Binder.restoreCallingIdentity(callingId);
}