From 8be3a92eb0b4105a9ed748be5a937ce79145f565 Mon Sep 17 00:00:00 2001
From: Jeff Sharkey <jsharkey@android.com>
Date: Mon, 1 Aug 2016 10:24:24 -0600
Subject: Enforce calling identity before clearing.

When opening a downloaded file, enforce that the caller can actually
see the requested download before clearing their identity to read
internal columns.

Bug: 30537115
Change-Id: I01bbad7997e5e908bfb19f5d576860a24f59f295
---
 src/com/android/providers/downloads/DownloadProvider.java | 13 +++++++++++++
 1 file changed, 13 insertions(+)

(limited to 'src/com/android/providers/downloads')

diff --git a/src/com/android/providers/downloads/DownloadProvider.java b/src/com/android/providers/downloads/DownloadProvider.java
index 2d914c41..d2a9d847 100644
--- a/src/com/android/providers/downloads/DownloadProvider.java
+++ b/src/com/android/providers/downloads/DownloadProvider.java
@@ -1192,6 +1192,19 @@ public final class DownloadProvider extends ContentProvider {
             logVerboseOpenFileInfo(uri, mode);
         }
 
+        // Perform normal query to enforce caller identity access before
+        // clearing it to reach internal-only columns
+        final Cursor probeCursor = query(uri, new String[] {
+                Downloads.Impl._DATA }, null, null, null);
+        try {
+            if ((probeCursor == null) || (probeCursor.getCount() == 0)) {
+                throw new FileNotFoundException(
+                        "No file found for " + uri + " as UID " + Binder.getCallingUid());
+            }
+        } finally {
+            IoUtils.closeQuietly(probeCursor);
+        }
+
         final Cursor cursor = queryCleared(uri, new String[] {
                 Downloads.Impl._DATA, Downloads.Impl.COLUMN_STATUS,
                 Downloads.Impl.COLUMN_DESTINATION, Downloads.Impl.COLUMN_MEDIA_SCANNED }, null,
-- 
cgit v1.2.3