Skip to content
Snippets Groups Projects
Commit a2aa53f8 authored by Tom Taylor's avatar Tom Taylor
Browse files

32807795 Security Vulnerability - AOSP Messaging App: thirdparty can 

attach private files from "/data/data/com.android.messaging/"
directory to the messaging app.

* This is a manual merge from ag/871758 -- backporting a security fix from
Bugle to Kazoo.
* Don't export the MediaScratchFileProvider or the MmsFileProvider. This
will block external access from third party apps. In addition, make both
providers more robust in handling path names. Make sure the file paths
handled in the providers point to the expected directory.

Change-Id: I9e6b3ae0e122e3f5022243418f2893d4a0859edb
Fixes: 32807795
parent bcc1f627
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
AndroidManifest.xml
+ 4
2
View file @ a2aa53f8
......@@ -317,11 +317,13 @@
<provider android:name=".datamodel.MmsFileProvider"
android:authorities="com.android.messaging.datamodel.MmsFileProvider"
android:grantUriPermissions="true" />
android:grantUriPermissions="true"
android:exported="false" />
<provider android:name=".datamodel.MediaScratchFileProvider"
android:authorities="com.android.messaging.datamodel.MediaScratchFileProvider"
android:grantUriPermissions="true" />
android:grantUriPermissions="true"
android:exported="false" />
<!-- Action Services -->
......
src/com/android/messaging/datamodel/MediaScratchFileProvider.java
+ 17
1
View file @ a2aa53f8
......@@ -32,6 +32,7 @@ import com.android.messaging.util.LogUtil;
import com.google.common.annotations.VisibleForTesting;
import java.io.File;
import java.io.IOException;
import java.util.List;
/**
......@@ -89,8 +90,23 @@ public class MediaScratchFileProvider extends FileProvider {
private static File getFileWithExtension(final String path, final String extension) {
final Context context = Factory.get().getApplicationContext();
return new File(getDirectory(context),
final File filePath = new File(getDirectory(context),
TextUtils.isEmpty(extension) ? path : path + "." + extension);
try {
if (!filePath.getCanonicalPath()
.startsWith(getDirectory(context).getCanonicalPath())) {
LogUtil.e(TAG, "getFileWithExtension: path "
+ filePath.getCanonicalPath()
+ " does not start with "
+ getDirectory(context).getCanonicalPath());
return null;
}
} catch (IOException e) {
LogUtil.e(TAG, "getFileWithExtension: getCanonicalPath failed ", e);
return null;
}
return filePath;
}
private static File getDirectory(final Context context) {
......
src/com/android/messaging/datamodel/MmsFileProvider.java
+ 18
1
View file @ a2aa53f8
......@@ -18,12 +18,14 @@ package com.android.messaging.datamodel;
import android.content.Context;
import android.net.Uri;
import android.text.TextUtils;
import com.android.messaging.Factory;
import com.android.messaging.util.LogUtil;
import com.google.common.annotations.VisibleForTesting;
import java.io.File;
import java.io.IOException;
/**
* A very simple content provider that can serve mms files from our cache directory.
......@@ -60,7 +62,22 @@ public class MmsFileProvider extends FileProvider {
private static File getFile(final String path) {
final Context context = Factory.get().getApplicationContext();
return new File(getDirectory(context), path + ".dat");
final File filePath = new File(getDirectory(context), path + ".dat");
try {
if (!filePath.getCanonicalPath()
.startsWith(getDirectory(context).getCanonicalPath())) {
LogUtil.e(TAG, "getFile: path "
+ filePath.getCanonicalPath()
+ " does not start with "
+ getDirectory(context).getCanonicalPath());
return null;
}
} catch (IOException e) {
LogUtil.e(TAG, "getFile: getCanonicalPath failed ", e);
return null;
}
return filePath;
}
private static File getDirectory(final Context context) {
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment