summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJeff Sharkey <jsharkey@android.com>2016-01-07 21:15:59 (GMT)
committerThe Android Automerger <android-build@google.com>2016-03-01 23:26:56 (GMT)
commit8ec005728d47e282d72801b4bb43c9a3ea8f717f (patch)
treefe205687fc9d7a776d1f55b3d3e8ee823f1c0952
parent616188b0a0c96e88926e84cfe156908f0da9ebe2 (diff)
downloadandroid_packages_providers_DownloadProvider-8ec005728d47e282d72801b4bb43c9a3ea8f717f.zip
android_packages_providers_DownloadProvider-8ec005728d47e282d72801b4bb43c9a3ea8f717f.tar.gz
android_packages_providers_DownloadProvider-8ec005728d47e282d72801b4bb43c9a3ea8f717f.tar.bz2
Use resolved path for both checking and opening.
This avoids a race condition where someone can change a symlink target after the security checks have passed. Bug: 26211054 Change-Id: I5842aaecc7b7d417a3b1902957b59b8a1f3c1ccb
-rw-r--r--src/com/android/providers/downloads/DownloadProvider.java10
-rw-r--r--src/com/android/providers/downloads/Helpers.java4
2 files changed, 8 insertions, 6 deletions
diff --git a/src/com/android/providers/downloads/DownloadProvider.java b/src/com/android/providers/downloads/DownloadProvider.java
index 94e5a99..620085f 100644
--- a/src/com/android/providers/downloads/DownloadProvider.java
+++ b/src/com/android/providers/downloads/DownloadProvider.java
@@ -1260,9 +1260,15 @@ public final class DownloadProvider extends ContentProvider {
throw new FileNotFoundException("No filename found.");
}
- final File file = new File(path);
+ final File file;
+ try {
+ file = new File(path).getCanonicalFile();
+ } catch (IOException e) {
+ throw new FileNotFoundException(e.getMessage());
+ }
+
if (!Helpers.isFilenameValid(getContext(), file)) {
- throw new FileNotFoundException("Invalid file: " + file);
+ throw new FileNotFoundException("Invalid file path: " + file);
}
final int pfdMode = ParcelFileDescriptor.parseMode(mode);
diff --git a/src/com/android/providers/downloads/Helpers.java b/src/com/android/providers/downloads/Helpers.java
index d1cc545..d01cbff 100644
--- a/src/com/android/providers/downloads/Helpers.java
+++ b/src/com/android/providers/downloads/Helpers.java
@@ -357,8 +357,6 @@ public class Helpers {
static boolean isFilenameValidInExternalPackage(Context context, File file,
String packageName) {
try {
- file = file.getCanonicalFile();
-
if (containsCanonical(buildExternalStorageAppFilesDirs(packageName), file) ||
containsCanonical(buildExternalStorageAppObbDirs(packageName), file) ||
containsCanonical(buildExternalStorageAppCacheDirs(packageName), file) ||
@@ -380,8 +378,6 @@ public class Helpers {
*/
static boolean isFilenameValid(Context context, File file, boolean allowInternal) {
try {
- file = file.getCanonicalFile();
-
if (allowInternal) {
if (containsCanonical(context.getFilesDir(), file)
|| containsCanonical(context.getCacheDir(), file)