From a2aa53f83afbd13b04cbdcca494fd3cf659c155d Mon Sep 17 00:00:00 2001
From: Tom Taylor <tomtaylor@google.com>
Date: Mon, 5 Dec 2016 16:39:55 -0800
Subject: 32807795  Security Vulnerability - AOSP Messaging App: thirdparty can
 attach private files from "/data/data/com.android.messaging/" directory to
 the messaging app.

* This is a manual merge from ag/871758 -- backporting a security fix from
Bugle to Kazoo.
* Don't export the MediaScratchFileProvider or the MmsFileProvider. This
will block external access from third party apps. In addition, make both
providers more robust in handling path names. Make sure the file paths
handled in the providers point to the expected directory.

Change-Id: I9e6b3ae0e122e3f5022243418f2893d4a0859edb
Fixes: 32807795
---
 AndroidManifest.xml | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

(limited to 'AndroidManifest.xml')

diff --git a/AndroidManifest.xml b/AndroidManifest.xml
index 8fe8fae..4b16a82 100644
--- a/AndroidManifest.xml
+++ b/AndroidManifest.xml
@@ -317,11 +317,13 @@
 
         <provider android:name=".datamodel.MmsFileProvider"
                   android:authorities="com.android.messaging.datamodel.MmsFileProvider"
-                  android:grantUriPermissions="true" />
+                  android:grantUriPermissions="true"
+                  android:exported="false" />
 
         <provider android:name=".datamodel.MediaScratchFileProvider"
                   android:authorities="com.android.messaging.datamodel.MediaScratchFileProvider"
-                  android:grantUriPermissions="true" />
+                  android:grantUriPermissions="true"
+                  android:exported="false" />
 
 
         <!-- Action Services -->
-- 
cgit v1.2.3