diff options
author | Jeff Sharkey <jsharkey@android.com> | 2016-01-07 14:15:59 -0700 |
---|---|---|
committer | Jeff Sharkey <jsharkey@android.com> | 2016-01-14 14:14:45 -0700 |
commit | 366af2ee1f841615d44ab770b537112d769eed05 (patch) | |
tree | fe205687fc9d7a776d1f55b3d3e8ee823f1c0952 | |
parent | 10865031b1b87939310aef82b7a2572cb49025b2 (diff) | |
download | android_packages_providers_DownloadProvider-366af2ee1f841615d44ab770b537112d769eed05.tar.gz android_packages_providers_DownloadProvider-366af2ee1f841615d44ab770b537112d769eed05.tar.bz2 android_packages_providers_DownloadProvider-366af2ee1f841615d44ab770b537112d769eed05.zip |
Use resolved path for both checking and opening.
This avoids a race condition where someone can change a symlink
target after the security checks have passed.
Bug: 26211054
Change-Id: I5842aaecc7b7d417a3b1902957b59b8a1f3c1ccb
-rw-r--r-- | src/com/android/providers/downloads/DownloadProvider.java | 10 | ||||
-rw-r--r-- | src/com/android/providers/downloads/Helpers.java | 4 |
2 files changed, 8 insertions, 6 deletions
diff --git a/src/com/android/providers/downloads/DownloadProvider.java b/src/com/android/providers/downloads/DownloadProvider.java index 94e5a997..620085fc 100644 --- a/src/com/android/providers/downloads/DownloadProvider.java +++ b/src/com/android/providers/downloads/DownloadProvider.java @@ -1260,9 +1260,15 @@ public final class DownloadProvider extends ContentProvider { throw new FileNotFoundException("No filename found."); } - final File file = new File(path); + final File file; + try { + file = new File(path).getCanonicalFile(); + } catch (IOException e) { + throw new FileNotFoundException(e.getMessage()); + } + if (!Helpers.isFilenameValid(getContext(), file)) { - throw new FileNotFoundException("Invalid file: " + file); + throw new FileNotFoundException("Invalid file path: " + file); } final int pfdMode = ParcelFileDescriptor.parseMode(mode); diff --git a/src/com/android/providers/downloads/Helpers.java b/src/com/android/providers/downloads/Helpers.java index d1cc5450..d01cbff2 100644 --- a/src/com/android/providers/downloads/Helpers.java +++ b/src/com/android/providers/downloads/Helpers.java @@ -357,8 +357,6 @@ public class Helpers { static boolean isFilenameValidInExternalPackage(Context context, File file, String packageName) { try { - file = file.getCanonicalFile(); - if (containsCanonical(buildExternalStorageAppFilesDirs(packageName), file) || containsCanonical(buildExternalStorageAppObbDirs(packageName), file) || containsCanonical(buildExternalStorageAppCacheDirs(packageName), file) || @@ -380,8 +378,6 @@ public class Helpers { */ static boolean isFilenameValid(Context context, File file, boolean allowInternal) { try { - file = file.getCanonicalFile(); - if (allowInternal) { if (containsCanonical(context.getFilesDir(), file) || containsCanonical(context.getCacheDir(), file) |