32807795 Security Vulnerability - AOSP Messaging App: thirdparty can
attach private files from "/data/data/com.android.messaging/"
directory to the messaging app.
* This is a manual merge from ag/871758 -- backporting a security fix from
Bugle to Kazoo.
* Don't export the MediaScratchFileProvider or the MmsFileProvider. This
will block external access from third party apps. In addition, make both
providers more robust in handling path names. Make sure the file paths
handled in the providers point to the expected directory.
Change-Id: I9e6b3ae0e122e3f5022243418f2893d4a0859edb
Fixes: 32807795
diff --git a/AndroidManifest.xml b/AndroidManifest.xml
index 8fe8fae..4b16a82 100644
--- a/AndroidManifest.xml
+++ b/AndroidManifest.xml
@@ -317,11 +317,13 @@
<provider android:name=".datamodel.MmsFileProvider"
android:authorities="com.android.messaging.datamodel.MmsFileProvider"
- android:grantUriPermissions="true" />
+ android:grantUriPermissions="true"
+ android:exported="false" />
<provider android:name=".datamodel.MediaScratchFileProvider"
android:authorities="com.android.messaging.datamodel.MediaScratchFileProvider"
- android:grantUriPermissions="true" />
+ android:grantUriPermissions="true"
+ android:exported="false" />
<!-- Action Services -->