summaryrefslogtreecommitdiffstats
path: root/src/com/android/providers/downloads
diff options
context:
space:
mode:
authorJeff Sharkey <jsharkey@android.com>2016-02-07 13:05:09 -0700
committerJeff Sharkey <jsharkey@android.com>2016-02-08 17:56:15 -0700
commit8c088f73a53813869e68a5c4671c09e8732da6d3 (patch)
tree1867b819e1fc6afeff697981b4bfc95e41cb8ab5 /src/com/android/providers/downloads
parentbb1c06b9dc2740a4055d9651c6559ac112e0c397 (diff)
downloadandroid_packages_providers_DownloadProvider-8c088f73a53813869e68a5c4671c09e8732da6d3.tar.gz
android_packages_providers_DownloadProvider-8c088f73a53813869e68a5c4671c09e8732da6d3.tar.bz2
android_packages_providers_DownloadProvider-8c088f73a53813869e68a5c4671c09e8732da6d3.zip
Use resolved path for both checking and opening.
This avoids a race condition where someone can change a symlink target after the security checks have passed. Bug: 26211054 Change-Id: I5e1a2343d631109c21a4c5b2d8d00b2946756680
Diffstat (limited to 'src/com/android/providers/downloads')
-rw-r--r--src/com/android/providers/downloads/DownloadProvider.java28
-rw-r--r--src/com/android/providers/downloads/Helpers.java4
2 files changed, 22 insertions, 10 deletions
diff --git a/src/com/android/providers/downloads/DownloadProvider.java b/src/com/android/providers/downloads/DownloadProvider.java
index 94e5a997..78b42949 100644
--- a/src/com/android/providers/downloads/DownloadProvider.java
+++ b/src/com/android/providers/downloads/DownloadProvider.java
@@ -715,7 +715,13 @@ public final class DownloadProvider extends ContentProvider {
throw new IllegalArgumentException("Invalid file URI: " + uri);
}
- final File file = new File(path);
+ final File file;
+ try {
+ file = new File(path).getCanonicalFile();
+ } catch (IOException e) {
+ throw new SecurityException(e);
+ }
+
if (Helpers.isFilenameValidInExternalPackage(getContext(), file, getCallingPackage())) {
// No permissions required for paths belonging to calling package
return;
@@ -1191,10 +1197,14 @@ public final class DownloadProvider extends ContentProvider {
final String path = cursor.getString(1);
if (!TextUtils.isEmpty(path)) {
- final File file = new File(path);
- if (Helpers.isFilenameValid(getContext(), file)) {
- Log.v(Constants.TAG, "Deleting " + file + " via provider delete");
- file.delete();
+ try {
+ final File file = new File(path).getCanonicalFile();
+ if (Helpers.isFilenameValid(getContext(), file)) {
+ Log.v(Constants.TAG,
+ "Deleting " + file + " via provider delete");
+ file.delete();
+ }
+ } catch (IOException ignored) {
}
}
}
@@ -1260,7 +1270,13 @@ public final class DownloadProvider extends ContentProvider {
throw new FileNotFoundException("No filename found.");
}
- final File file = new File(path);
+ final File file;
+ try {
+ file = new File(path).getCanonicalFile();
+ } catch (IOException e) {
+ throw new FileNotFoundException(e.getMessage());
+ }
+
if (!Helpers.isFilenameValid(getContext(), file)) {
throw new FileNotFoundException("Invalid file: " + file);
}
diff --git a/src/com/android/providers/downloads/Helpers.java b/src/com/android/providers/downloads/Helpers.java
index d1cc5450..d01cbff2 100644
--- a/src/com/android/providers/downloads/Helpers.java
+++ b/src/com/android/providers/downloads/Helpers.java
@@ -357,8 +357,6 @@ public class Helpers {
static boolean isFilenameValidInExternalPackage(Context context, File file,
String packageName) {
try {
- file = file.getCanonicalFile();
-
if (containsCanonical(buildExternalStorageAppFilesDirs(packageName), file) ||
containsCanonical(buildExternalStorageAppObbDirs(packageName), file) ||
containsCanonical(buildExternalStorageAppCacheDirs(packageName), file) ||
@@ -380,8 +378,6 @@ public class Helpers {
*/
static boolean isFilenameValid(Context context, File file, boolean allowInternal) {
try {
- file = file.getCanonicalFile();
-
if (allowInternal) {
if (containsCanonical(context.getFilesDir(), file)
|| containsCanonical(context.getCacheDir(), file)