Gitiles
Code Review Sign In
gerrit.omnirom.org / android_packages_apps_Messaging / a21b8f936e29ad02df6cc7ade91b76f5de8a3a29^1..a21b8f936e29ad02df6cc7ade91b76f5de8a3a29 / .
commita21b8f936e29ad02df6cc7ade91b76f5de8a3a29[log] [tgz]
authorTom Taylor <tomtaylor@google.com>Tue Dec 06 22:16:44 2016 +0000
committerandroid-build-merger <android-build-merger@google.com>Tue Dec 06 22:16:44 2016 +0000
tree55f3d18c8782cebc582be94c56bcb668492c1edc
parent305a004e197d3ceadb8f41c9e26e3d8f08bdd48c [diff]
parent10dccb12ad47b2513671454cf8c6cc8031603c83 [diff]
32161610 Security Vulnerability - Information disclosure vulnerability in AOSP Messaging am: 69ed579fb8
am: 10dccb12ad

Change-Id: Ia9830002762794a35da40daf8cc19f62434fabba

diff --git a/src/com/android/messaging/ui/mediapicker/DocumentImagePicker.java b/src/com/android/messaging/ui/mediapicker/DocumentImagePicker.java
index 2c36752..dff59cf 100644
--- a/src/com/android/messaging/ui/mediapicker/DocumentImagePicker.java
+++ b/src/com/android/messaging/ui/mediapicker/DocumentImagePicker.java

@@ -24,8 +24,13 @@
 import com.android.messaging.Factory;
 import com.android.messaging.datamodel.data.PendingAttachmentData;
 import com.android.messaging.ui.UIIntents;
+import com.android.messaging.util.LogUtil;
+import com.android.messaging.util.FileUtil;
 import com.android.messaging.util.ImageUtils;
 import com.android.messaging.util.SafeAsyncTask;
+import com.android.messaging.util.UriUtil;
+
+import java.io.File;
 
 /**
  * Wraps around the functionalities to allow the user to pick images from the document
@@ -111,12 +116,24 @@
         new SafeAsyncTask<Void, Void, String>() {
             @Override
             protected String doInBackgroundTimed(final Void... params) {
+                if (UriUtil.isFileUri(documentUri) &&
+                        FileUtil.isInDataDir(new File(documentUri.getPath()))) {
+                    // hacker sending private app data. Bail out
+                    if (LogUtil.isLoggable(LogUtil.BUGLE_TAG, LogUtil.ERROR)) {
+                        LogUtil.e(LogUtil.BUGLE_TAG, "Aborting attach of private app data ("
+                                + documentUri + ")");
+                    }
+                    return null;
+                }
                 return ImageUtils.getContentType(
                         Factory.get().getApplicationContext().getContentResolver(), documentUri);
             }
 
             @Override
             protected void onPostExecute(final String contentType) {
+                if (contentType == null) {
+                    return;     // bad uri on input
+                }
                 // Ask the listener to create a temporary placeholder item to show the progress.
                 final PendingAttachmentData pendingItem =
                         PendingAttachmentData.createPendingAttachmentData(contentType,

diff --git a/src/com/android/messaging/util/FileUtil.java b/src/com/android/messaging/util/FileUtil.java
index 7c47ae9..b147b25 100644
--- a/src/com/android/messaging/util/FileUtil.java
+++ b/src/com/android/messaging/util/FileUtil.java

@@ -17,6 +17,7 @@
 package com.android.messaging.util;
 
 import android.content.Context;
+import android.os.Environment;
 import android.webkit.MimeTypeMap;
 
 import com.android.messaging.Factory;
@@ -116,6 +117,13 @@
         }
     }
 
+    // Checks if the file is in /data, and don't allow any app to send personal information.
+    // We're told it's possible to create world readable hardlinks to other apps private data
+    // so we ban all /data file uris. b/28793303
+    public static boolean isInDataDir(File file) {
+        return isSameOrSubDirectory(Environment.getDataDirectory(), file);
+    }
+
     /**
      * Checks, whether the child directory is the same as, or a sub-directory of the base
      * directory.