Fix exposing private messages files through attachments with a content URI.

Change-Id: I30b2a06c67af4a347d03c7504d13b9b9365acafd Tested: Was no longer able to repro b/275552292. Bug: 275552292

Fix exposing private messages files through attachments with a content URI.
0d545214 · Jake Klinker · c51c783a · 0d545214
Commit 0d545214 authored 1 year ago by Jake Klinker
--- a/src/com/android/messaging/util/FileUtil.java
+++ b/src/com/android/messaging/util/FileUtil.java
@@ -20,6 +20,7 @@ import android.content.ContentResolver;
 import android.content.Context;
 import android.net.Uri;
 import android.os.Environment;
+import android.os.ParcelFileDescriptor;
 import android.text.TextUtils;

 import com.android.messaging.Factory;
@@ -28,6 +29,8 @@ import com.google.common.io.Files;

 import java.io.File;
 import java.io.IOException;
+import java.nio.file.Path;
+import java.nio.file.Paths;
 import java.text.SimpleDateFormat;
 import java.util.Date;
 import java.util.Locale;
@@ -121,6 +124,10 @@ public class FileUtil {
    // We're told it's possible to create world readable hardlinks to other apps private data
    // so we ban all /data file uris.
    public static boolean isInPrivateDir(Uri uri) {
+        return isFileUriInPrivateDir(uri) || isContentUriInPrivateDir(uri);
+    }
+
+    private static boolean isFileUriInPrivateDir(Uri uri) {
        if (!UriUtil.isFileUri(uri)) {
            return false;
        }
@@ -128,6 +135,24 @@ public class FileUtil {
        return FileUtil.isSameOrSubDirectory(Environment.getDataDirectory(), file);
    }

+    private static boolean isContentUriInPrivateDir(Uri uri) {
+        if (!uri.getScheme().equals(ContentResolver.SCHEME_CONTENT)) {
+            return false;
+        }
+        try {
+            Context context = Factory.get().getApplicationContext();
+            ParcelFileDescriptor pfd = context.getContentResolver().openFileDescriptor(uri, "r");
+            int fd = pfd.getFd();
+            // Use the file descriptor to find out the read file path through symbolic link.
+            Path fdPath = Paths.get("/proc/self/fd/" + fd);
+            Path filePath = java.nio.file.Files.readSymbolicLink(fdPath);
+            pfd.close();
+            return FileUtil.isSameOrSubDirectory(Environment.getDataDirectory(), filePath.toFile());
+        } catch (Exception e) {
+            return false;
+        }
+    }
+
    /**
     * Checks, whether the child directory is the same as, or a sub-directory of the base
     * directory.