32807795 Security Vulnerability - AOSP Messaging App: thirdparty can attach private files from "/data/data/com.android.messaging/" directory to the messaging app. am: a2aa53f83a am: 90bf70396d am: 305a004e19

am: 2397f2fbef

Change-Id: I16b590f76c9856d1407b336973ba86ff681415c6

2 files changed, 35 insertions, 2 deletions

diff --git a/src/com/android/messaging/datamodel/MediaScratchFileProvider.java b/src/com/android/messaging/datamodel/MediaScratchFileProvider.java
index 29ae4f4..a19523f 100644
--- a/src/com/android/messaging/datamodel/MediaScratchFileProvider.java
+++ b/src/com/android/messaging/datamodel/MediaScratchFileProvider.java
@@ -32,6 +32,7 @@ import com.android.messaging.util.LogUtil;
 import com.google.common.annotations.VisibleForTesting;
 
 import java.io.File;
+import java.io.IOException;
 import java.util.List;
 
 /**
@@ -89,8 +90,23 @@ public class MediaScratchFileProvider extends FileProvider {
 
     private static File getFileWithExtension(final String path, final String extension) {
         final Context context = Factory.get().getApplicationContext();
-        return new File(getDirectory(context),
+        final File filePath = new File(getDirectory(context),
                 TextUtils.isEmpty(extension) ? path : path + "." + extension);
+
+        try {
+            if (!filePath.getCanonicalPath()
+                    .startsWith(getDirectory(context).getCanonicalPath())) {
+                LogUtil.e(TAG, "getFileWithExtension: path "
+                        + filePath.getCanonicalPath()
+                        + " does not start with "
+                        + getDirectory(context).getCanonicalPath());
+                return null;
+            }
+        } catch (IOException e) {
+            LogUtil.e(TAG, "getFileWithExtension: getCanonicalPath failed ", e);
+            return null;
+        }
+        return filePath;
     }
 
     private static File getDirectory(final Context context) {
diff --git a/src/com/android/messaging/datamodel/MmsFileProvider.java b/src/com/android/messaging/datamodel/MmsFileProvider.java
index 0022630..eb49802 100644
--- a/src/com/android/messaging/datamodel/MmsFileProvider.java
+++ b/src/com/android/messaging/datamodel/MmsFileProvider.java
@@ -18,12 +18,14 @@ package com.android.messaging.datamodel;
 
 import android.content.Context;
 import android.net.Uri;
+import android.text.TextUtils;
 
 import com.android.messaging.Factory;
 import com.android.messaging.util.LogUtil;
 import com.google.common.annotations.VisibleForTesting;
 
 import java.io.File;
+import java.io.IOException;
 
 /**
  * A very simple content provider that can serve mms files from our cache directory.
@@ -60,7 +62,22 @@ public class MmsFileProvider extends FileProvider {
 
     private static File getFile(final String path) {
         final Context context = Factory.get().getApplicationContext();
-        return new File(getDirectory(context), path + ".dat");
+        final File filePath = new File(getDirectory(context), path + ".dat");
+
+        try {
+            if (!filePath.getCanonicalPath()
+                    .startsWith(getDirectory(context).getCanonicalPath())) {
+                LogUtil.e(TAG, "getFile: path "
+                        + filePath.getCanonicalPath()
+                        + " does not start with "
+                        + getDirectory(context).getCanonicalPath());
+                return null;
+            }
+        } catch (IOException e) {
+            LogUtil.e(TAG, "getFile: getCanonicalPath failed ", e);
+            return null;
+        }
+        return filePath;
     }
 
     private static File getDirectory(final Context context) {