From 8ec005728d47e282d72801b4bb43c9a3ea8f717f Mon Sep 17 00:00:00 2001
From: Jeff Sharkey <jsharkey@android.com>
Date: Thu, 7 Jan 2016 14:15:59 -0700
Subject: Use resolved path for both checking and opening.

This avoids a race condition where someone can change a symlink
target after the security checks have passed.

Bug: 26211054
Change-Id: I5842aaecc7b7d417a3b1902957b59b8a1f3c1ccb
---
 src/com/android/providers/downloads/DownloadProvider.java | 10 ++++++++--
 src/com/android/providers/downloads/Helpers.java          |  4 ----
 2 files changed, 8 insertions(+), 6 deletions(-)

diff --git a/src/com/android/providers/downloads/DownloadProvider.java b/src/com/android/providers/downloads/DownloadProvider.java
index 94e5a997..620085fc 100644
--- a/src/com/android/providers/downloads/DownloadProvider.java
+++ b/src/com/android/providers/downloads/DownloadProvider.java
@@ -1260,9 +1260,15 @@ public final class DownloadProvider extends ContentProvider {
             throw new FileNotFoundException("No filename found.");
         }
 
-        final File file = new File(path);
+        final File file;
+        try {
+            file = new File(path).getCanonicalFile();
+        } catch (IOException e) {
+            throw new FileNotFoundException(e.getMessage());
+        }
+
         if (!Helpers.isFilenameValid(getContext(), file)) {
-            throw new FileNotFoundException("Invalid file: " + file);
+            throw new FileNotFoundException("Invalid file path: " + file);
         }
 
         final int pfdMode = ParcelFileDescriptor.parseMode(mode);
diff --git a/src/com/android/providers/downloads/Helpers.java b/src/com/android/providers/downloads/Helpers.java
index d1cc5450..d01cbff2 100644
--- a/src/com/android/providers/downloads/Helpers.java
+++ b/src/com/android/providers/downloads/Helpers.java
@@ -357,8 +357,6 @@ public class Helpers {
     static boolean isFilenameValidInExternalPackage(Context context, File file,
             String packageName) {
         try {
-            file = file.getCanonicalFile();
-
             if (containsCanonical(buildExternalStorageAppFilesDirs(packageName), file) ||
                     containsCanonical(buildExternalStorageAppObbDirs(packageName), file) ||
                     containsCanonical(buildExternalStorageAppCacheDirs(packageName), file) ||
@@ -380,8 +378,6 @@ public class Helpers {
      */
     static boolean isFilenameValid(Context context, File file, boolean allowInternal) {
         try {
-            file = file.getCanonicalFile();
-
             if (allowInternal) {
                 if (containsCanonical(context.getFilesDir(), file)
                         || containsCanonical(context.getCacheDir(), file)
-- 
cgit v1.2.3


From e74ee404073426ec7d223bee37c9a3de334dffd9 Mon Sep 17 00:00:00 2001
From: Jeff Sharkey <jsharkey@android.com>
Date: Tue, 16 Feb 2016 16:10:32 -0700
Subject: DO NOT MERGE. Use resolved path when inserting and deleting.

This avoids a race condition where someone can change a symlink
target after the security checks have passed.

Bug: 26211054
Change-Id: I03b06b746fde5d08d6b61a7011bdace0b4e9fa77
---
 .../providers/downloads/DownloadProvider.java        | 20 +++++++++++++++-----
 1 file changed, 15 insertions(+), 5 deletions(-)

diff --git a/src/com/android/providers/downloads/DownloadProvider.java b/src/com/android/providers/downloads/DownloadProvider.java
index 620085fc..d9acc789 100644
--- a/src/com/android/providers/downloads/DownloadProvider.java
+++ b/src/com/android/providers/downloads/DownloadProvider.java
@@ -715,7 +715,13 @@ public final class DownloadProvider extends ContentProvider {
             throw new IllegalArgumentException("Invalid file URI: " + uri);
         }
 
-        final File file = new File(path);
+        final File file;
+        try {
+            file = new File(path).getCanonicalFile();
+        } catch (IOException e) {
+            throw new SecurityException(e);
+        }
+
         if (Helpers.isFilenameValidInExternalPackage(getContext(), file, getCallingPackage())) {
             // No permissions required for paths belonging to calling package
             return;
@@ -1191,10 +1197,14 @@ public final class DownloadProvider extends ContentProvider {
 
                         final String path = cursor.getString(1);
                         if (!TextUtils.isEmpty(path)) {
-                            final File file = new File(path);
-                            if (Helpers.isFilenameValid(getContext(), file)) {
-                                Log.v(Constants.TAG, "Deleting " + file + " via provider delete");
-                                file.delete();
+                            try {
+                                final File file = new File(path).getCanonicalFile();
+                                if (Helpers.isFilenameValid(getContext(), file)) {
+                                    Log.v(Constants.TAG,
+                                            "Deleting " + file + " via provider delete");
+                                    file.delete();
+                                }
+                            } catch (IOException ignored) {
                             }
                         }
                     }
-- 
cgit v1.2.3