diff options
author | Tom Taylor <tomtaylor@google.com> | 2016-12-06 22:27:37 +0000 |
---|---|---|
committer | android-build-merger <android-build-merger@google.com> | 2016-12-06 22:27:37 +0000 |
commit | 4dfcff98daa40728d0cb8920f54515f3d449e4b0 (patch) | |
tree | aee15cef43abc5f7eed6f670518439055907e723 /src/com | |
parent | a1562e5ab6a4cd8a96d4fd9ae571d07d75b26179 (diff) | |
parent | 313284eee7adb278160aa94d0842079993408ddb (diff) | |
download | packages_apps_Messaging-4dfcff98daa40728d0cb8920f54515f3d449e4b0.tar.gz packages_apps_Messaging-4dfcff98daa40728d0cb8920f54515f3d449e4b0.tar.bz2 packages_apps_Messaging-4dfcff98daa40728d0cb8920f54515f3d449e4b0.zip |
32807795 Security Vulnerability - AOSP Messaging App: thirdparty can attach private files from "/data/data/com.android.messaging/" directory to the messaging app. am: a2aa53f83a am: 90bf70396d am: 305a004e19 am: 2397f2fbef
am: 313284eee7
Change-Id: Iaa18124b7f9090efe55a0a46a1851ff5c0b6fe28
Diffstat (limited to 'src/com')
-rw-r--r-- | src/com/android/messaging/datamodel/MediaScratchFileProvider.java | 18 | ||||
-rw-r--r-- | src/com/android/messaging/datamodel/MmsFileProvider.java | 19 |
2 files changed, 35 insertions, 2 deletions
diff --git a/src/com/android/messaging/datamodel/MediaScratchFileProvider.java b/src/com/android/messaging/datamodel/MediaScratchFileProvider.java index 29ae4f4..a19523f 100644 --- a/src/com/android/messaging/datamodel/MediaScratchFileProvider.java +++ b/src/com/android/messaging/datamodel/MediaScratchFileProvider.java @@ -32,6 +32,7 @@ import com.android.messaging.util.LogUtil; import com.google.common.annotations.VisibleForTesting; import java.io.File; +import java.io.IOException; import java.util.List; /** @@ -89,8 +90,23 @@ public class MediaScratchFileProvider extends FileProvider { private static File getFileWithExtension(final String path, final String extension) { final Context context = Factory.get().getApplicationContext(); - return new File(getDirectory(context), + final File filePath = new File(getDirectory(context), TextUtils.isEmpty(extension) ? path : path + "." + extension); + + try { + if (!filePath.getCanonicalPath() + .startsWith(getDirectory(context).getCanonicalPath())) { + LogUtil.e(TAG, "getFileWithExtension: path " + + filePath.getCanonicalPath() + + " does not start with " + + getDirectory(context).getCanonicalPath()); + return null; + } + } catch (IOException e) { + LogUtil.e(TAG, "getFileWithExtension: getCanonicalPath failed ", e); + return null; + } + return filePath; } private static File getDirectory(final Context context) { diff --git a/src/com/android/messaging/datamodel/MmsFileProvider.java b/src/com/android/messaging/datamodel/MmsFileProvider.java index 0022630..eb49802 100644 --- a/src/com/android/messaging/datamodel/MmsFileProvider.java +++ b/src/com/android/messaging/datamodel/MmsFileProvider.java @@ -18,12 +18,14 @@ package com.android.messaging.datamodel; import android.content.Context; import android.net.Uri; +import android.text.TextUtils; import com.android.messaging.Factory; import com.android.messaging.util.LogUtil; import com.google.common.annotations.VisibleForTesting; import java.io.File; +import java.io.IOException; /** * A very simple content provider that can serve mms files from our cache directory. @@ -60,7 +62,22 @@ public class MmsFileProvider extends FileProvider { private static File getFile(final String path) { final Context context = Factory.get().getApplicationContext(); - return new File(getDirectory(context), path + ".dat"); + final File filePath = new File(getDirectory(context), path + ".dat"); + + try { + if (!filePath.getCanonicalPath() + .startsWith(getDirectory(context).getCanonicalPath())) { + LogUtil.e(TAG, "getFile: path " + + filePath.getCanonicalPath() + + " does not start with " + + getDirectory(context).getCanonicalPath()); + return null; + } + } catch (IOException e) { + LogUtil.e(TAG, "getFile: getCanonicalPath failed ", e); + return null; + } + return filePath; } private static File getDirectory(final Context context) { |