diff options
author | Jeff Sharkey <jsharkey@android.com> | 2016-02-07 13:05:09 -0700 |
---|---|---|
committer | Jeff Sharkey <jsharkey@android.com> | 2016-02-08 17:56:15 -0700 |
commit | 8c088f73a53813869e68a5c4671c09e8732da6d3 (patch) | |
tree | 1867b819e1fc6afeff697981b4bfc95e41cb8ab5 /src/com/android/providers/downloads | |
parent | bb1c06b9dc2740a4055d9651c6559ac112e0c397 (diff) | |
download | android_packages_providers_DownloadProvider-8c088f73a53813869e68a5c4671c09e8732da6d3.tar.gz android_packages_providers_DownloadProvider-8c088f73a53813869e68a5c4671c09e8732da6d3.tar.bz2 android_packages_providers_DownloadProvider-8c088f73a53813869e68a5c4671c09e8732da6d3.zip |
Use resolved path for both checking and opening.
This avoids a race condition where someone can change a symlink
target after the security checks have passed.
Bug: 26211054
Change-Id: I5e1a2343d631109c21a4c5b2d8d00b2946756680
Diffstat (limited to 'src/com/android/providers/downloads')
-rw-r--r-- | src/com/android/providers/downloads/DownloadProvider.java | 28 | ||||
-rw-r--r-- | src/com/android/providers/downloads/Helpers.java | 4 |
2 files changed, 22 insertions, 10 deletions
diff --git a/src/com/android/providers/downloads/DownloadProvider.java b/src/com/android/providers/downloads/DownloadProvider.java index 94e5a997..78b42949 100644 --- a/src/com/android/providers/downloads/DownloadProvider.java +++ b/src/com/android/providers/downloads/DownloadProvider.java @@ -715,7 +715,13 @@ public final class DownloadProvider extends ContentProvider { throw new IllegalArgumentException("Invalid file URI: " + uri); } - final File file = new File(path); + final File file; + try { + file = new File(path).getCanonicalFile(); + } catch (IOException e) { + throw new SecurityException(e); + } + if (Helpers.isFilenameValidInExternalPackage(getContext(), file, getCallingPackage())) { // No permissions required for paths belonging to calling package return; @@ -1191,10 +1197,14 @@ public final class DownloadProvider extends ContentProvider { final String path = cursor.getString(1); if (!TextUtils.isEmpty(path)) { - final File file = new File(path); - if (Helpers.isFilenameValid(getContext(), file)) { - Log.v(Constants.TAG, "Deleting " + file + " via provider delete"); - file.delete(); + try { + final File file = new File(path).getCanonicalFile(); + if (Helpers.isFilenameValid(getContext(), file)) { + Log.v(Constants.TAG, + "Deleting " + file + " via provider delete"); + file.delete(); + } + } catch (IOException ignored) { } } } @@ -1260,7 +1270,13 @@ public final class DownloadProvider extends ContentProvider { throw new FileNotFoundException("No filename found."); } - final File file = new File(path); + final File file; + try { + file = new File(path).getCanonicalFile(); + } catch (IOException e) { + throw new FileNotFoundException(e.getMessage()); + } + if (!Helpers.isFilenameValid(getContext(), file)) { throw new FileNotFoundException("Invalid file: " + file); } diff --git a/src/com/android/providers/downloads/Helpers.java b/src/com/android/providers/downloads/Helpers.java index d1cc5450..d01cbff2 100644 --- a/src/com/android/providers/downloads/Helpers.java +++ b/src/com/android/providers/downloads/Helpers.java @@ -357,8 +357,6 @@ public class Helpers { static boolean isFilenameValidInExternalPackage(Context context, File file, String packageName) { try { - file = file.getCanonicalFile(); - if (containsCanonical(buildExternalStorageAppFilesDirs(packageName), file) || containsCanonical(buildExternalStorageAppObbDirs(packageName), file) || containsCanonical(buildExternalStorageAppCacheDirs(packageName), file) || @@ -380,8 +378,6 @@ public class Helpers { */ static boolean isFilenameValid(Context context, File file, boolean allowInternal) { try { - file = file.getCanonicalFile(); - if (allowInternal) { if (containsCanonical(context.getFilesDir(), file) || containsCanonical(context.getCacheDir(), file) |