32807795 Security Vulnerability - AOSP Messaging App: thirdparty can attach private files from "/data/data/com.android.messaging/" directory to the messaging app. am: a2aa53f83a
am: 90bf70396d
Change-Id: I83792b4135c1e7adaf30f5835742fd1898b1b451
diff --git a/AndroidManifest.xml b/AndroidManifest.xml
index 8fe8fae..4b16a82 100644
--- a/AndroidManifest.xml
+++ b/AndroidManifest.xml
@@ -317,11 +317,13 @@
<provider android:name=".datamodel.MmsFileProvider"
android:authorities="com.android.messaging.datamodel.MmsFileProvider"
- android:grantUriPermissions="true" />
+ android:grantUriPermissions="true"
+ android:exported="false" />
<provider android:name=".datamodel.MediaScratchFileProvider"
android:authorities="com.android.messaging.datamodel.MediaScratchFileProvider"
- android:grantUriPermissions="true" />
+ android:grantUriPermissions="true"
+ android:exported="false" />
<!-- Action Services -->
diff --git a/src/com/android/messaging/datamodel/MediaScratchFileProvider.java b/src/com/android/messaging/datamodel/MediaScratchFileProvider.java
index 29ae4f4..a19523f 100644
--- a/src/com/android/messaging/datamodel/MediaScratchFileProvider.java
+++ b/src/com/android/messaging/datamodel/MediaScratchFileProvider.java
@@ -32,6 +32,7 @@
import com.google.common.annotations.VisibleForTesting;
import java.io.File;
+import java.io.IOException;
import java.util.List;
/**
@@ -89,8 +90,23 @@
private static File getFileWithExtension(final String path, final String extension) {
final Context context = Factory.get().getApplicationContext();
- return new File(getDirectory(context),
+ final File filePath = new File(getDirectory(context),
TextUtils.isEmpty(extension) ? path : path + "." + extension);
+
+ try {
+ if (!filePath.getCanonicalPath()
+ .startsWith(getDirectory(context).getCanonicalPath())) {
+ LogUtil.e(TAG, "getFileWithExtension: path "
+ + filePath.getCanonicalPath()
+ + " does not start with "
+ + getDirectory(context).getCanonicalPath());
+ return null;
+ }
+ } catch (IOException e) {
+ LogUtil.e(TAG, "getFileWithExtension: getCanonicalPath failed ", e);
+ return null;
+ }
+ return filePath;
}
private static File getDirectory(final Context context) {
diff --git a/src/com/android/messaging/datamodel/MmsFileProvider.java b/src/com/android/messaging/datamodel/MmsFileProvider.java
index 0022630..eb49802 100644
--- a/src/com/android/messaging/datamodel/MmsFileProvider.java
+++ b/src/com/android/messaging/datamodel/MmsFileProvider.java
@@ -18,12 +18,14 @@
import android.content.Context;
import android.net.Uri;
+import android.text.TextUtils;
import com.android.messaging.Factory;
import com.android.messaging.util.LogUtil;
import com.google.common.annotations.VisibleForTesting;
import java.io.File;
+import java.io.IOException;
/**
* A very simple content provider that can serve mms files from our cache directory.
@@ -60,7 +62,22 @@
private static File getFile(final String path) {
final Context context = Factory.get().getApplicationContext();
- return new File(getDirectory(context), path + ".dat");
+ final File filePath = new File(getDirectory(context), path + ".dat");
+
+ try {
+ if (!filePath.getCanonicalPath()
+ .startsWith(getDirectory(context).getCanonicalPath())) {
+ LogUtil.e(TAG, "getFile: path "
+ + filePath.getCanonicalPath()
+ + " does not start with "
+ + getDirectory(context).getCanonicalPath());
+ return null;
+ }
+ } catch (IOException e) {
+ LogUtil.e(TAG, "getFile: getCanonicalPath failed ", e);
+ return null;
+ }
+ return filePath;
}
private static File getDirectory(final Context context) {