diff options
author | Brad Ebinger <breadley@google.com> | 2016-10-07 10:39:33 -0700 |
---|---|---|
committer | Brad Ebinger <breadley@google.com> | 2016-10-10 13:40:07 -0700 |
commit | 52823033626ee55474d942d5b9ea24e0f07dbb66 (patch) | |
tree | d91d8fa2143cf627351fbaba84ed4c41b65b5d0f /sip | |
parent | c3bd9d08a5b5fc810d27a65331e34a333d063a91 (diff) | |
download | android_packages_services_Telephony-52823033626ee55474d942d5b9ea24e0f07dbb66.tar.gz android_packages_services_Telephony-52823033626ee55474d942d5b9ea24e0f07dbb66.tar.bz2 android_packages_services_Telephony-52823033626ee55474d942d5b9ea24e0f07dbb66.zip |
Restrict SipProfiles to profiles directory
We now check SIP profile names to ensure that they do not attempt file
traversal when being saved. They are now restricted to be children of
the profiles/ directory.
BUG: 31530456
Change-Id: I9c9bce59d852e8a1cf500be6ca59b5e303877180
Diffstat (limited to 'sip')
3 files changed, 33 insertions, 5 deletions
diff --git a/sip/src/com/android/services/telephony/sip/SipEditor.java b/sip/src/com/android/services/telephony/sip/SipEditor.java index 8bc7734de..1cee25b24 100644 --- a/sip/src/com/android/services/telephony/sip/SipEditor.java +++ b/sip/src/com/android/services/telephony/sip/SipEditor.java @@ -258,7 +258,7 @@ public class SipEditor extends PreferenceActivity * * @param p The {@link SipProfile} to delete. */ - private void deleteAndUnregisterProfile(SipProfile p) { + private void deleteAndUnregisterProfile(SipProfile p) throws IOException { if (p == null) return; mProfileDb.deleteProfile(p); mSipAccountRegistry.stopSipService(this, p.getProfileName()); diff --git a/sip/src/com/android/services/telephony/sip/SipProfileDb.java b/sip/src/com/android/services/telephony/sip/SipProfileDb.java index e7b201b25..bb1c7ecd3 100644 --- a/sip/src/com/android/services/telephony/sip/SipProfileDb.java +++ b/sip/src/com/android/services/telephony/sip/SipProfileDb.java @@ -21,6 +21,7 @@ import com.android.internal.os.AtomicFile; import android.content.Context; import android.net.sip.SipProfile; import android.text.TextUtils; +import android.util.EventLog; import android.util.Log; import java.io.File; @@ -66,9 +67,13 @@ class SipProfileDb { mSipPreferences = new SipPreferences(mContext); } - public void deleteProfile(SipProfile p) { + public void deleteProfile(SipProfile p) throws IOException { synchronized(SipProfileDb.class) { - deleteProfile(new File(mProfilesDirectory + p.getProfileName())); + File profileFile = new File(mProfilesDirectory, p.getProfileName()); + if (!isChild(new File(mProfilesDirectory), profileFile)) { + throw new IOException("Invalid Profile Credentials!"); + } + deleteProfile(profileFile); if (mProfilesCount < 0) retrieveSipProfileListInternal(); } } @@ -93,7 +98,10 @@ class SipProfileDb { public void saveProfile(SipProfile p) throws IOException { synchronized(SipProfileDb.class) { if (mProfilesCount < 0) retrieveSipProfileListInternal(); - File f = new File(mProfilesDirectory + p.getProfileName()); + File f = new File(mProfilesDirectory, p.getProfileName()); + if (!isChild(new File(mProfilesDirectory), f)) { + throw new IOException("Invalid Profile Credentials!"); + } if (!f.exists()) f.mkdirs(); AtomicFile atomicFile = new AtomicFile(new File(f, PROFILE_OBJ_FILE)); FileOutputStream fos = null; @@ -173,4 +181,19 @@ class SipProfileDb { private static void log(String msg) { Log.d(SipUtil.LOG_TAG, PREFIX + msg); } + + /** + * Verifies that the file is a direct child of the base directory. + */ + private boolean isChild(File base, File file) { + if (base == null || file == null) { + return false; + } + if (!base.equals(file.getAbsoluteFile().getParentFile())) { + Log.w(SipUtil.LOG_TAG, "isChild, file is not a child of the base dir."); + EventLog.writeEvent(0x534e4554, "31530456", -1, ""); + return false; + } + return true; + } } diff --git a/sip/src/com/android/services/telephony/sip/SipUtil.java b/sip/src/com/android/services/telephony/sip/SipUtil.java index 3678c462f..cf03dd373 100644 --- a/sip/src/com/android/services/telephony/sip/SipUtil.java +++ b/sip/src/com/android/services/telephony/sip/SipUtil.java @@ -164,7 +164,12 @@ public class SipUtil { } Log.i(LOG_TAG, "(Migration) Deleting SIP profile: " + profileToMove.getProfileName()); - dbDeStorage.deleteProfile(profileToMove); + try { + dbDeStorage.deleteProfile(profileToMove); + } catch (IOException e) { + Log.w(LOG_TAG, "Error Deleting file: " + + profileToMove.getProfileName(), e); + } } } // Delete supporting structures if they exist |