From ebb842e081f2d9eddbeddb9447631fd81e8961b9 Mon Sep 17 00:00:00 2001 From: Jeff Sharkey Date: Tue, 16 Feb 2016 15:47:03 -0700 Subject: DO NOT MERGE. Use resolved path when inserting and deleting. This avoids a race condition where someone can change a symlink target after the security checks have passed. Bug: 26211054 Change-Id: I40ed6d2298e4b66b4f7a055e68d9820515adf351 --- .../providers/downloads/DownloadProvider.java | 20 +++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) (limited to 'src/com/android/providers/downloads') diff --git a/src/com/android/providers/downloads/DownloadProvider.java b/src/com/android/providers/downloads/DownloadProvider.java index 620085fc..d9acc789 100644 --- a/src/com/android/providers/downloads/DownloadProvider.java +++ b/src/com/android/providers/downloads/DownloadProvider.java @@ -715,7 +715,13 @@ public final class DownloadProvider extends ContentProvider { throw new IllegalArgumentException("Invalid file URI: " + uri); } - final File file = new File(path); + final File file; + try { + file = new File(path).getCanonicalFile(); + } catch (IOException e) { + throw new SecurityException(e); + } + if (Helpers.isFilenameValidInExternalPackage(getContext(), file, getCallingPackage())) { // No permissions required for paths belonging to calling package return; @@ -1191,10 +1197,14 @@ public final class DownloadProvider extends ContentProvider { final String path = cursor.getString(1); if (!TextUtils.isEmpty(path)) { - final File file = new File(path); - if (Helpers.isFilenameValid(getContext(), file)) { - Log.v(Constants.TAG, "Deleting " + file + " via provider delete"); - file.delete(); + try { + final File file = new File(path).getCanonicalFile(); + if (Helpers.isFilenameValid(getContext(), file)) { + Log.v(Constants.TAG, + "Deleting " + file + " via provider delete"); + file.delete(); + } + } catch (IOException ignored) { } } } -- cgit v1.2.3