From 5c08fb8cbeb045b9ce447443208e87f42604d168 Mon Sep 17 00:00:00 2001 From: Jeff Sharkey Date: Thu, 7 Jan 2016 14:15:59 -0700 Subject: Use resolved path for both checking and opening. This avoids a race condition where someone can change a symlink target after the security checks have passed. Bug: 26211054 Change-Id: I5842aaecc7b7d417a3b1902957b59b8a1f3c1ccb --- src/com/android/providers/downloads/DownloadProvider.java | 10 ++++++++-- src/com/android/providers/downloads/Helpers.java | 1 - 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/src/com/android/providers/downloads/DownloadProvider.java b/src/com/android/providers/downloads/DownloadProvider.java index 4b23024f..2d914c41 100644 --- a/src/com/android/providers/downloads/DownloadProvider.java +++ b/src/com/android/providers/downloads/DownloadProvider.java @@ -1230,9 +1230,15 @@ public final class DownloadProvider extends ContentProvider { throw new FileNotFoundException("No filename found."); } - final File file = new File(path); + final File file; + try { + file = new File(path).getCanonicalFile(); + } catch (IOException e) { + throw new FileNotFoundException(e.getMessage()); + } + if (!Helpers.isFilenameValid(getContext(), file)) { - throw new FileNotFoundException("Invalid file: " + file); + throw new FileNotFoundException("Invalid file path: " + file); } final int pfdMode = ParcelFileDescriptor.parseMode(mode); diff --git a/src/com/android/providers/downloads/Helpers.java b/src/com/android/providers/downloads/Helpers.java index eb071395..7ca50bb1 100644 --- a/src/com/android/providers/downloads/Helpers.java +++ b/src/com/android/providers/downloads/Helpers.java @@ -341,7 +341,6 @@ public class Helpers { static boolean isFilenameValid(Context context, File file) { final File[] whitelist; try { - file = file.getCanonicalFile(); whitelist = new File[] { context.getFilesDir().getCanonicalFile(), context.getCacheDir().getCanonicalFile(), -- cgit v1.2.3