diff options
author | Tom Taylor <tomtaylor@google.com> | 2016-12-05 16:39:55 -0800 |
---|---|---|
committer | Brinly Taylor <brinly@brinly.me> | 2017-03-13 04:57:46 +0000 |
commit | 695a54573371e0e4199e3fd3454802dc821725f3 (patch) | |
tree | 85c860a2e87ef5dc99df0c32ff05e4ad439a21b4 | |
parent | f4a97c13cb076d606de10bdd068e8effff1b3646 (diff) | |
download | packages_apps_Messaging-695a54573371e0e4199e3fd3454802dc821725f3.tar.gz packages_apps_Messaging-695a54573371e0e4199e3fd3454802dc821725f3.tar.bz2 packages_apps_Messaging-695a54573371e0e4199e3fd3454802dc821725f3.zip |
32807795 Security Vulnerability - AOSP Messaging App: thirdparty can
attach private files from "/data/data/com.android.messaging/"
directory to the messaging app.
* This is a manual merge from ag/871758 -- backporting a security fix from
Bugle to Kazoo.
* Don't export the MediaScratchFileProvider or the MmsFileProvider. This
will block external access from third party apps. In addition, make both
providers more robust in handling path names. Make sure the file paths
handled in the providers point to the expected directory.
Change-Id: I9e6b3ae0e122e3f5022243418f2893d4a0859edb
Fixes: 32807795
(cherry picked from commit a2aa53f83afbd13b04cbdcca494fd3cf659c155d)
(cherry picked from commit 9879d17384ac3e3d4046b7f79d21aee3a1183284)
-rw-r--r-- | AndroidManifest.xml | 6 | ||||
-rw-r--r-- | src/com/android/messaging/datamodel/MediaScratchFileProvider.java | 18 | ||||
-rw-r--r-- | src/com/android/messaging/datamodel/MmsFileProvider.java | 19 |
3 files changed, 39 insertions, 4 deletions
diff --git a/AndroidManifest.xml b/AndroidManifest.xml index 7563f9c..90880dc 100644 --- a/AndroidManifest.xml +++ b/AndroidManifest.xml @@ -322,11 +322,13 @@ <provider android:name=".datamodel.MmsFileProvider" android:authorities="com.android.messaging.datamodel.MmsFileProvider" - android:grantUriPermissions="true" /> + android:grantUriPermissions="true" + android:exported="false" /> <provider android:name=".datamodel.MediaScratchFileProvider" android:authorities="com.android.messaging.datamodel.MediaScratchFileProvider" - android:grantUriPermissions="true" /> + android:grantUriPermissions="true" + android:exported="false" /> <!-- Action Services --> diff --git a/src/com/android/messaging/datamodel/MediaScratchFileProvider.java b/src/com/android/messaging/datamodel/MediaScratchFileProvider.java index 29ae4f4..a19523f 100644 --- a/src/com/android/messaging/datamodel/MediaScratchFileProvider.java +++ b/src/com/android/messaging/datamodel/MediaScratchFileProvider.java @@ -32,6 +32,7 @@ import com.android.messaging.util.LogUtil; import com.google.common.annotations.VisibleForTesting; import java.io.File; +import java.io.IOException; import java.util.List; /** @@ -89,8 +90,23 @@ public class MediaScratchFileProvider extends FileProvider { private static File getFileWithExtension(final String path, final String extension) { final Context context = Factory.get().getApplicationContext(); - return new File(getDirectory(context), + final File filePath = new File(getDirectory(context), TextUtils.isEmpty(extension) ? path : path + "." + extension); + + try { + if (!filePath.getCanonicalPath() + .startsWith(getDirectory(context).getCanonicalPath())) { + LogUtil.e(TAG, "getFileWithExtension: path " + + filePath.getCanonicalPath() + + " does not start with " + + getDirectory(context).getCanonicalPath()); + return null; + } + } catch (IOException e) { + LogUtil.e(TAG, "getFileWithExtension: getCanonicalPath failed ", e); + return null; + } + return filePath; } private static File getDirectory(final Context context) { diff --git a/src/com/android/messaging/datamodel/MmsFileProvider.java b/src/com/android/messaging/datamodel/MmsFileProvider.java index 0022630..eb49802 100644 --- a/src/com/android/messaging/datamodel/MmsFileProvider.java +++ b/src/com/android/messaging/datamodel/MmsFileProvider.java @@ -18,12 +18,14 @@ package com.android.messaging.datamodel; import android.content.Context; import android.net.Uri; +import android.text.TextUtils; import com.android.messaging.Factory; import com.android.messaging.util.LogUtil; import com.google.common.annotations.VisibleForTesting; import java.io.File; +import java.io.IOException; /** * A very simple content provider that can serve mms files from our cache directory. @@ -60,7 +62,22 @@ public class MmsFileProvider extends FileProvider { private static File getFile(final String path) { final Context context = Factory.get().getApplicationContext(); - return new File(getDirectory(context), path + ".dat"); + final File filePath = new File(getDirectory(context), path + ".dat"); + + try { + if (!filePath.getCanonicalPath() + .startsWith(getDirectory(context).getCanonicalPath())) { + LogUtil.e(TAG, "getFile: path " + + filePath.getCanonicalPath() + + " does not start with " + + getDirectory(context).getCanonicalPath()); + return null; + } + } catch (IOException e) { + LogUtil.e(TAG, "getFile: getCanonicalPath failed ", e); + return null; + } + return filePath; } private static File getDirectory(final Context context) { |