diff options
author | Tom Taylor <tomtaylor@google.com> | 2016-12-06 22:24:07 +0000 |
---|---|---|
committer | android-build-merger <android-build-merger@google.com> | 2016-12-06 22:24:07 +0000 |
commit | 313284eee7adb278160aa94d0842079993408ddb (patch) | |
tree | b01e66c41a3573f3b8187d3e8794da6c5e45bdac /src | |
parent | a044afd70debd781b7c31b202fb0dfc51909f22b (diff) | |
parent | 2397f2fbef0a1c66e1994059f8a0dc2f43d9c4f3 (diff) | |
download | android_packages_apps_Messaging-313284eee7adb278160aa94d0842079993408ddb.tar.gz android_packages_apps_Messaging-313284eee7adb278160aa94d0842079993408ddb.tar.bz2 android_packages_apps_Messaging-313284eee7adb278160aa94d0842079993408ddb.zip |
32807795 Security Vulnerability - AOSP Messaging App: thirdparty can attach private files from "/data/data/com.android.messaging/" directory to the messaging app. am: a2aa53f83a am: 90bf70396d am: 305a004e19
am: 2397f2fbef
Change-Id: I16b590f76c9856d1407b336973ba86ff681415c6
Diffstat (limited to 'src')
-rw-r--r-- | src/com/android/messaging/datamodel/MediaScratchFileProvider.java | 18 | ||||
-rw-r--r-- | src/com/android/messaging/datamodel/MmsFileProvider.java | 19 |
2 files changed, 35 insertions, 2 deletions
diff --git a/src/com/android/messaging/datamodel/MediaScratchFileProvider.java b/src/com/android/messaging/datamodel/MediaScratchFileProvider.java index 29ae4f4..a19523f 100644 --- a/src/com/android/messaging/datamodel/MediaScratchFileProvider.java +++ b/src/com/android/messaging/datamodel/MediaScratchFileProvider.java @@ -32,6 +32,7 @@ import com.android.messaging.util.LogUtil; import com.google.common.annotations.VisibleForTesting; import java.io.File; +import java.io.IOException; import java.util.List; /** @@ -89,8 +90,23 @@ public class MediaScratchFileProvider extends FileProvider { private static File getFileWithExtension(final String path, final String extension) { final Context context = Factory.get().getApplicationContext(); - return new File(getDirectory(context), + final File filePath = new File(getDirectory(context), TextUtils.isEmpty(extension) ? path : path + "." + extension); + + try { + if (!filePath.getCanonicalPath() + .startsWith(getDirectory(context).getCanonicalPath())) { + LogUtil.e(TAG, "getFileWithExtension: path " + + filePath.getCanonicalPath() + + " does not start with " + + getDirectory(context).getCanonicalPath()); + return null; + } + } catch (IOException e) { + LogUtil.e(TAG, "getFileWithExtension: getCanonicalPath failed ", e); + return null; + } + return filePath; } private static File getDirectory(final Context context) { diff --git a/src/com/android/messaging/datamodel/MmsFileProvider.java b/src/com/android/messaging/datamodel/MmsFileProvider.java index 0022630..eb49802 100644 --- a/src/com/android/messaging/datamodel/MmsFileProvider.java +++ b/src/com/android/messaging/datamodel/MmsFileProvider.java @@ -18,12 +18,14 @@ package com.android.messaging.datamodel; import android.content.Context; import android.net.Uri; +import android.text.TextUtils; import com.android.messaging.Factory; import com.android.messaging.util.LogUtil; import com.google.common.annotations.VisibleForTesting; import java.io.File; +import java.io.IOException; /** * A very simple content provider that can serve mms files from our cache directory. @@ -60,7 +62,22 @@ public class MmsFileProvider extends FileProvider { private static File getFile(final String path) { final Context context = Factory.get().getApplicationContext(); - return new File(getDirectory(context), path + ".dat"); + final File filePath = new File(getDirectory(context), path + ".dat"); + + try { + if (!filePath.getCanonicalPath() + .startsWith(getDirectory(context).getCanonicalPath())) { + LogUtil.e(TAG, "getFile: path " + + filePath.getCanonicalPath() + + " does not start with " + + getDirectory(context).getCanonicalPath()); + return null; + } + } catch (IOException e) { + LogUtil.e(TAG, "getFile: getCanonicalPath failed ", e); + return null; + } + return filePath; } private static File getDirectory(final Context context) { |