diff options
author | Jeff Sharkey <jsharkey@android.com> | 2016-01-07 14:15:59 -0700 |
---|---|---|
committer | SteadyQuad <SteadyQuad@gmail.com> | 2016-04-17 02:57:22 +0200 |
commit | 32e542594c7dcdab5df96ff2edcf90f083d57ef4 (patch) | |
tree | bcc71ea4e10f98eed0c6832d5114684ca6892848 /src/com/android/providers/downloads/DownloadProvider.java | |
parent | 078607f9d636abf552ce851c896f2d95503a37e0 (diff) | |
download | android_packages_providers_DownloadProvider-32e542594c7dcdab5df96ff2edcf90f083d57ef4.tar.gz android_packages_providers_DownloadProvider-32e542594c7dcdab5df96ff2edcf90f083d57ef4.tar.bz2 android_packages_providers_DownloadProvider-32e542594c7dcdab5df96ff2edcf90f083d57ef4.zip |
Merge conflict--DO NOT MERGE. Use resolved path for both checking and opening.
This avoids a race condition where someone can change a symlink
target after the security checks have passed.
Bug: 26211054
Change-Id: I0dcc41c94dfede2d5dc75031191605944be2e595
Diffstat (limited to 'src/com/android/providers/downloads/DownloadProvider.java')
-rw-r--r-- | src/com/android/providers/downloads/DownloadProvider.java | 14 |
1 files changed, 10 insertions, 4 deletions
diff --git a/src/com/android/providers/downloads/DownloadProvider.java b/src/com/android/providers/downloads/DownloadProvider.java index 25d59014..5995a083 100644 --- a/src/com/android/providers/downloads/DownloadProvider.java +++ b/src/com/android/providers/downloads/DownloadProvider.java @@ -875,7 +875,7 @@ public final class DownloadProvider extends ContentProvider { if (projection == null) { projection = sAppReadableColumnsArray.clone(); } else { - // check the validity of the columns in projection + // check the validity of the columns in projection for (int i = 0; i < projection.length; ++i) { if (!sAppReadableColumnsSet.contains(projection[i]) && !downloadManagerColumnsList.contains(projection[i])) { @@ -1221,11 +1221,17 @@ public final class DownloadProvider extends ContentProvider { if (path == null) { throw new FileNotFoundException("No filename found."); } - if (!Helpers.isFilenameValid(getContext(), path, mDownloadsDataDir)) { - throw new FileNotFoundException("Invalid filename: " + path); + + final File file; + try { + file = new File(path).getCanonicalFile(); + } catch (IOException e) { + throw new FileNotFoundException(e.getMessage()); } - final File file = new File(path); + if (!Helpers.isFilenameValid(getContext(), file)) { + throw new FileNotFoundException("Invalid file path: " + file); + } if ("r".equals(mode)) { return ParcelFileDescriptor.open(file, ParcelFileDescriptor.MODE_READ_ONLY); } else { |