summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRuchi Kandoi <kandoiruchi@google.com>2017-06-02 15:01:27 -0700
committerHarry Youd <harry@harryyoud.co.uk>2017-09-20 20:04:03 +0000
commit1e1c537b8fedb73b07fc1cdbeebe535291fc448f (patch)
treea27eb3dd3b4b9c773f934154d6c0953d43c87b4a
parent0d2f1ccac4d38588e50aa525ccf9a131b612075f (diff)
downloadandroid_packages_apps_Nfc-1e1c537b8fedb73b07fc1cdbeebe535291fc448f.tar.gz
android_packages_apps_Nfc-1e1c537b8fedb73b07fc1cdbeebe535291fc448f.tar.bz2
android_packages_apps_Nfc-1e1c537b8fedb73b07fc1cdbeebe535291fc448f.zip
Add READ_EXTERNAL_STORAGE for file based Uri while beaming.replicant-6.0-0003
Test: PoC application Bug: 37287958 Change-Id: I7f5a2f32a053f0448726aec9f8b524f914c0d8df Signed-off-by: Ruchi Kandoi <kandoiruchi@google.com> (cherry picked from commit dc54140e12f441c9d7c1b5be5337d6b16bfa32e4) CVE-2017-0784
-rw-r--r--src/com/android/nfc/BeamShareActivity.java20
1 files changed, 18 insertions, 2 deletions
diff --git a/src/com/android/nfc/BeamShareActivity.java b/src/com/android/nfc/BeamShareActivity.java
index cff601cf..6eb5d24b 100644
--- a/src/com/android/nfc/BeamShareActivity.java
+++ b/src/com/android/nfc/BeamShareActivity.java
@@ -19,6 +19,8 @@ package com.android.nfc;
import java.util.ArrayList;
import android.app.Activity;
+import android.app.ActivityManager;
+import android.app.ActivityManagerNative;
import android.app.AlertDialog;
import android.content.BroadcastReceiver;
import android.content.Context;
@@ -26,6 +28,7 @@ import android.content.DialogInterface;
import android.content.ClipData;
import android.content.Intent;
import android.content.IntentFilter;
+import android.content.pm.PackageManager;
import android.net.Uri;
import android.nfc.BeamShareData;
import android.nfc.NdefMessage;
@@ -33,8 +36,11 @@ import android.nfc.NdefRecord;
import android.nfc.NfcAdapter;
import android.os.Bundle;
import android.os.UserHandle;
+import android.os.RemoteException;
import android.util.Log;
+import android.util.EventLog;
import android.webkit.URLUtil;
+import android.Manifest.permission;
import com.android.internal.R;
@@ -196,16 +202,26 @@ public class BeamShareActivity extends Activity {
int numValidUris = 0;
for (Uri uri : mUris) {
try {
+ int uid = ActivityManagerNative.getDefault().getLaunchedFromUid(getActivityToken());
+ if (uri.getScheme().equalsIgnoreCase("file") &&
+ getApplicationContext().checkPermission(permission.READ_EXTERNAL_STORAGE, -1, uid) !=
+ PackageManager.PERMISSION_GRANTED) {
+ Log.e(TAG, "File based Uri doesn't have External Storage Permission.");
+ EventLog.writeEvent(0x534e4554, "37287958", uid, uri.getPath());
+ break;
+ }
grantUriPermission("com.android.nfc", uri, Intent.FLAG_GRANT_READ_URI_PERMISSION);
uriArray[numValidUris++] = uri;
if (DBG) Log.d(TAG, "Found uri: " + uri);
} catch (SecurityException e) {
Log.e(TAG, "Security exception granting uri permission to NFC process.");
- numValidUris = 0;
+ break;
+ } catch (RemoteException e) {
+ Log.e(TAG, "Remote exception accessing uid of the calling process.");
break;
}
}
- if (numValidUris > 0) {
+ if (numValidUris != 0 && numValidUris == mUris.size()) {
shareData = new BeamShareData(null, uriArray, myUserHandle, 0);
} else {
// No uris left