32807795 Security Vulnerability - AOSP Messaging App: thirdparty can

attach private files from "/data/data/com.android.messaging/" directory to the messaging app. * This is a manual merge from ag/871758 -- backporting a security fix from Bugle to Kazoo. * Don't export the MediaScratchFileProvider or the MmsFileProvider. This will block external access from third party apps. In addition, make both providers more robust in handling path names. Make sure the file paths handled in the providers point to the expected directory. Change-Id: I9e6b3ae0e122e3f5022243418f2893d4a0859edb Fixes: 32807795 (cherry picked from commit a2aa53f83afbd13b04cbdcca494fd3cf659c155d) (cherry picked from commit 9879d17384ac3e3d4046b7f79d21aee3a1183284)
author: Tom Taylor <tomtaylor@google.com> 2016-12-05 16:39:55 -0800
committer: Brinly Taylor <brinly@brinly.me> 2017-03-13 04:57:46 +0000
commit: 695a54573371e0e4199e3fd3454802dc821725f3 (patch)
tree: 85c860a2e87ef5dc99df0c32ff05e4ad439a21b4
parent: f4a97c13cb076d606de10bdd068e8effff1b3646 (diff)
download: packages_apps_Messaging-695a54573371e0e4199e3fd3454802dc821725f3.tar.gz
packages_apps_Messaging-695a54573371e0e4199e3fd3454802dc821725f3.tar.bz2
packages_apps_Messaging-695a54573371e0e4199e3fd3454802dc821725f3.zip
3 files changed, 39 insertions, 4 deletions
diff --git a/AndroidManifest.xml b/AndroidManifest.xml
index 7563f9c..90880dc 100644
--- a/AndroidManifest.xml
+++ b/AndroidManifest.xml
@@ -322,11 +322,13 @@
 
         <provider android:name=".datamodel.MmsFileProvider"
                   android:authorities="com.android.messaging.datamodel.MmsFileProvider"
-                  android:grantUriPermissions="true" />
+                  android:grantUriPermissions="true"
+                  android:exported="false" />
 
         <provider android:name=".datamodel.MediaScratchFileProvider"
                   android:authorities="com.android.messaging.datamodel.MediaScratchFileProvider"
-                  android:grantUriPermissions="true" />
+                  android:grantUriPermissions="true"
+                  android:exported="false" />
 
 
         <!-- Action Services -->
diff --git a/src/com/android/messaging/datamodel/MediaScratchFileProvider.java b/src/com/android/messaging/datamodel/MediaScratchFileProvider.java
index 29ae4f4..a19523f 100644
--- a/src/com/android/messaging/datamodel/MediaScratchFileProvider.java
+++ b/src/com/android/messaging/datamodel/MediaScratchFileProvider.java
@@ -32,6 +32,7 @@ import com.android.messaging.util.LogUtil;
 import com.google.common.annotations.VisibleForTesting;
 
 import java.io.File;
+import java.io.IOException;
 import java.util.List;
 
 /**
@@ -89,8 +90,23 @@ public class MediaScratchFileProvider extends FileProvider {
 
     private static File getFileWithExtension(final String path, final String extension) {
         final Context context = Factory.get().getApplicationContext();
-        return new File(getDirectory(context),
+        final File filePath = new File(getDirectory(context),
                 TextUtils.isEmpty(extension) ? path : path + "." + extension);
+
+        try {
+            if (!filePath.getCanonicalPath()
+                    .startsWith(getDirectory(context).getCanonicalPath())) {
+                LogUtil.e(TAG, "getFileWithExtension: path "
+                        + filePath.getCanonicalPath()
+                        + " does not start with "
+                        + getDirectory(context).getCanonicalPath());
+                return null;
+            }
+        } catch (IOException e) {
+            LogUtil.e(TAG, "getFileWithExtension: getCanonicalPath failed ", e);
+            return null;
+        }
+        return filePath;
     }
 
     private static File getDirectory(final Context context) {
diff --git a/src/com/android/messaging/datamodel/MmsFileProvider.java b/src/com/android/messaging/datamodel/MmsFileProvider.java
index 0022630..eb49802 100644
--- a/src/com/android/messaging/datamodel/MmsFileProvider.java
+++ b/src/com/android/messaging/datamodel/MmsFileProvider.java
@@ -18,12 +18,14 @@ package com.android.messaging.datamodel;
 
 import android.content.Context;
 import android.net.Uri;
+import android.text.TextUtils;
 
 import com.android.messaging.Factory;
 import com.android.messaging.util.LogUtil;
 import com.google.common.annotations.VisibleForTesting;
 
 import java.io.File;
+import java.io.IOException;
 
 /**
  * A very simple content provider that can serve mms files from our cache directory.
@@ -60,7 +62,22 @@ public class MmsFileProvider extends FileProvider {
 
     private static File getFile(final String path) {
         final Context context = Factory.get().getApplicationContext();
-        return new File(getDirectory(context), path + ".dat");
+        final File filePath = new File(getDirectory(context), path + ".dat");
+
+        try {
+            if (!filePath.getCanonicalPath()
+                    .startsWith(getDirectory(context).getCanonicalPath())) {
+                LogUtil.e(TAG, "getFile: path "
+                        + filePath.getCanonicalPath()
+                        + " does not start with "
+                        + getDirectory(context).getCanonicalPath());
+                return null;
+            }
+        } catch (IOException e) {
+            LogUtil.e(TAG, "getFile: getCanonicalPath failed ", e);
+            return null;
+        }
+        return filePath;
     }
 
     private static File getDirectory(final Context context) {
author	Tom Taylor <tomtaylor@google.com>	2016-12-05 16:39:55 -0800
committer	Brinly Taylor <brinly@brinly.me>	2017-03-13 04:57:46 +0000
commit	695a54573371e0e4199e3fd3454802dc821725f3 (patch)
tree	85c860a2e87ef5dc99df0c32ff05e4ad439a21b4
parent	f4a97c13cb076d606de10bdd068e8effff1b3646 (diff)
download	packages_apps_Messaging-695a54573371e0e4199e3fd3454802dc821725f3.tar.gz packages_apps_Messaging-695a54573371e0e4199e3fd3454802dc821725f3.tar.bz2 packages_apps_Messaging-695a54573371e0e4199e3fd3454802dc821725f3.zip