diff options
author | Miao Chou <mcchou@google.com> | 2015-07-20 12:14:25 -0700 |
---|---|---|
committer | The Android Automerger <android-build@android.com> | 2015-09-01 14:21:26 -0700 |
commit | ca20f5002186b11dcc87b81a2742295330fa0242 (patch) | |
tree | 20d59a7b9589f0a1cad0e5dfeae7483bff51dcb6 | |
parent | 2ab3133a5c3a70fe1184ba8ff63ac3365f648a4e (diff) | |
download | android_packages_apps_Bluetooth-ca20f5002186b11dcc87b81a2742295330fa0242.tar.gz android_packages_apps_Bluetooth-ca20f5002186b11dcc87b81a2742295330fa0242.tar.bz2 android_packages_apps_Bluetooth-ca20f5002186b11dcc87b81a2742295330fa0242.zip |
DO NOT MERGE Fix security vulnerabilities in permission of deleting MMS/SMS
This CL adds permission check to avoid unauthorized deletion of any MMS/SMS
messages in BluetoothMapContentObserver.actionMessageSentDisconnected
function.
Bug: 22343270
Change-Id: I30254036309733be4d54db17a8ef17a571cd1c5a
-rw-r--r-- | src/com/android/bluetooth/map/BluetoothMapContentObserver.java | 94 |
1 files changed, 14 insertions, 80 deletions
diff --git a/src/com/android/bluetooth/map/BluetoothMapContentObserver.java b/src/com/android/bluetooth/map/BluetoothMapContentObserver.java index dd14c82be..dc85b6c52 100644 --- a/src/com/android/bluetooth/map/BluetoothMapContentObserver.java +++ b/src/com/android/bluetooth/map/BluetoothMapContentObserver.java @@ -34,6 +34,7 @@ import javax.obex.ResponseCodes; import org.xmlpull.v1.XmlSerializer; +import android.Manifest; import android.app.Activity; import android.app.PendingIntent; import android.content.BroadcastReceiver; @@ -45,13 +46,16 @@ import android.content.Context; import android.content.Intent; import android.content.IntentFilter; import android.content.IntentFilter.MalformedMimeTypeException; +import android.content.pm.PackageManager; import android.database.ContentObserver; import android.database.Cursor; import android.net.Uri; import android.os.Build; +import android.os.Binder; import android.os.Handler; import android.os.Message; import android.os.ParcelFileDescriptor; +import android.os.Process; import android.os.RemoteException; import android.provider.BaseColumns; import com.android.bluetooth.mapapi.BluetoothMapContract; @@ -1704,9 +1708,6 @@ public class BluetoothMapContentObserver { IntentFilter intentFilter = new IntentFilter(); intentFilter.addAction(ACTION_MESSAGE_DELIVERY); - /* The reception of ACTION_MESSAGE_SENT have been moved to the MAP - * service, to be able to handle message sent events after a disconnect. */ - //intentFilter.addAction(ACTION_MESSAGE_SENT); try{ intentFilter.addDataType("message/*"); } catch (MalformedMimeTypeException e) { @@ -1737,20 +1738,7 @@ public class BluetoothMapContentObserver { return; } - if (action.equals(ACTION_MESSAGE_SENT)) { - int result = intent.getIntExtra(EXTRA_MESSAGE_SENT_RESULT, Activity.RESULT_CANCELED); - msgInfo.partsSent++; - if(result != Activity.RESULT_OK) { - // If just one of the parts in the message fails, we need to send the entire message again - msgInfo.failedSent = true; - } - if(D) Log.d(TAG, "onReceive: msgInfo.partsSent = " + msgInfo.partsSent - + ", msgInfo.parts = " + msgInfo.parts + " result = " + result); - - if (msgInfo.partsSent == msgInfo.parts) { - actionMessageSent(context, intent, msgInfo); - } - } else if (action.equals(ACTION_MESSAGE_DELIVERY)) { + if (action.equals(ACTION_MESSAGE_DELIVERY)) { long timestamp = intent.getLongExtra(EXTRA_MESSAGE_SENT_TIMESTAMP, 0); int status = -1; if(msgInfo.timestamp == timestamp) { @@ -1776,67 +1764,6 @@ public class BluetoothMapContentObserver { } } - private void actionMessageSent(Context context, Intent intent, PushMsgInfo msgInfo) { - /* As the MESSAGE_SENT intent is forwarded from the MAP service, we use the intent - * to carry the result, as getResult() will not return the correct value. - */ - boolean delete = false; - - if(D) Log.d(TAG,"actionMessageSent(): msgInfo.failedSent = " + msgInfo.failedSent); - - msgInfo.sendInProgress = false; - - if (msgInfo.failedSent == false) { - if(D) Log.d(TAG, "actionMessageSent: result OK"); - if (msgInfo.transparent == 0) { - if (!Sms.moveMessageToFolder(context, msgInfo.uri, - Sms.MESSAGE_TYPE_SENT, 0)) { - Log.w(TAG, "Failed to move " + msgInfo.uri + " to SENT"); - } - } else { - delete = true; - } - - Event evt = new Event(EVENT_TYPE_SENDING_SUCCESS, msgInfo.id, - folderSms[Sms.MESSAGE_TYPE_SENT], null, mSmsType); - sendEvent(evt); - - } else { - if (msgInfo.retry == 1) { - /* Notify failure, but keep message in outbox for resending */ - msgInfo.resend = true; - msgInfo.partsSent = 0; // Reset counter for the retry - msgInfo.failedSent = false; - Event evt = new Event(EVENT_TYPE_SENDING_FAILURE, msgInfo.id, - folderSms[Sms.MESSAGE_TYPE_OUTBOX], null, mSmsType); - sendEvent(evt); - } else { - if (msgInfo.transparent == 0) { - if (!Sms.moveMessageToFolder(context, msgInfo.uri, - Sms.MESSAGE_TYPE_FAILED, 0)) { - Log.w(TAG, "Failed to move " + msgInfo.uri + " to FAILED"); - } - } else { - delete = true; - } - - Event evt = new Event(EVENT_TYPE_SENDING_FAILURE, msgInfo.id, - folderSms[Sms.MESSAGE_TYPE_FAILED], null, mSmsType); - sendEvent(evt); - } - } - - if (delete == true) { - /* Delete from Observer message list to avoid delete notifications */ - synchronized(mMsgListSms) { - mMsgListSms.remove(msgInfo.id); - } - - /* Delete from DB */ - mResolver.delete(msgInfo.uri, null, null); - } - } - private void actionMessageDelivery(Context context, Intent intent, PushMsgInfo msgInfo) { Uri messageUri = intent.getData(); msgInfo.sendInProgress = false; @@ -1878,6 +1805,13 @@ public class BluetoothMapContentObserver { } static public void actionMessageSentDisconnected(Context context, Intent intent, int result) { + /* Check permission for message deletion. */ + if (context.checkCallingOrSelfPermission(android.Manifest.permission.WRITE_SMS) + != PackageManager.PERMISSION_GRANTED) { + Log.w(TAG, "actionMessageSentDisconnected: Not allowed to delete SMS/MMS messages"); + return; + } + boolean delete = false; //int retry = intent.getIntExtra(EXTRA_MESSAGE_SENT_RETRY, 0); int transparent = intent.getIntExtra(EXTRA_MESSAGE_SENT_TRANSPARENT, 0); @@ -1914,10 +1848,10 @@ public class BluetoothMapContentObserver { } } - if (delete == true) { + if (delete) { /* Delete from DB */ ContentResolver resolver = context.getContentResolver(); - if(resolver != null) { + if (resolver != null) { resolver.delete(uri, null, null); } else { Log.w(TAG, "Unable to get resolver"); |