diff options
| author | Ajay Panicker <apanicke@google.com> | 2017-04-11 14:45:40 -0700 |
|---|---|---|
| committer | gitbuildkicker <android-build@google.com> | 2017-04-17 16:24:21 -0700 |
| commit | 14b7d7e1537af60b7bca6c7b9e55df0dc7c6bf41 (patch) | |
| tree | 0687f84db12d5c0aa688d3682f48b227aa651803 | |
| parent | f196061addcc56878078e5684f2029ddbf7055ff (diff) | |
| download | Bluetooth-14b7d7e1537af60b7bca6c7b9e55df0dc7c6bf41.tar.gz | |
Prevent OPP from opening files that aren't sent over Bluetoothandroid-7.1.2_r36android-7.1.2_r28android-7.1.2_r19android-7.1.2_r18android-7.1.2_r13android-7.1.2_r12nougat-mr2-release
Before this patch an app could send an open intent to
BluetoothOppTransferService using a fake content provider to gain external
read and write access. We fix this by checking the Uri of the file before
opening it to see if it originated from the Bluetooth Share content provider.
We also stop graning write access to apps that we use to view the file.
Bug: 35385327
Test: PoC found in bug
Change-Id: Iad85490a0306b3e70767285393b204be22b11511
(cherry picked from commit f20350af42cd5cce1a762ef587ee50fef696f0f0)
| -rw-r--r-- | src/com/android/bluetooth/opp/BluetoothOppUtility.java | 20 |
1 files changed, 10 insertions, 10 deletions
diff --git a/src/com/android/bluetooth/opp/BluetoothOppUtility.java b/src/com/android/bluetooth/opp/BluetoothOppUtility.java index 6b94ab56b..cbbfa1766 100644 --- a/src/com/android/bluetooth/opp/BluetoothOppUtility.java +++ b/src/com/android/bluetooth/opp/BluetoothOppUtility.java @@ -68,6 +68,10 @@ public class BluetoothOppUtility { private static final ConcurrentHashMap<Uri, BluetoothOppSendFileInfo> sSendFileMap = new ConcurrentHashMap<Uri, BluetoothOppSendFileInfo>(); + public static boolean isBluetoothShareUri(Uri uri) { + return uri.toString().startsWith(BluetoothShare.CONTENT_URI.toString()); + } + public static BluetoothOppTransferInfo queryRecord(Context context, Uri uri) { BluetoothOppTransferInfo info = new BluetoothOppTransferInfo(); Cursor cursor = context.getContentResolver().query(uri, null, null, null, null); @@ -178,6 +182,11 @@ public class BluetoothOppUtility { return; } + if (!isBluetoothShareUri(uri)) { + Log.e(TAG, "Trying to open a file that wasn't transfered over Bluetooth"); + return; + } + File f = new File(fileName); if (!f.exists()) { Intent in = new Intent(context, BluetoothOppBtErrorActivity.class); @@ -208,17 +217,8 @@ public class BluetoothOppUtility { .queryIntentActivities(activityIntent, PackageManager.MATCH_DEFAULT_ONLY); - // Grant permissions for any app that can handle a file to access it - for (ResolveInfo resolveInfo : resInfoList) { - String packageName = resolveInfo.activityInfo.packageName; - context.grantUriPermission(packageName, path, - Intent.FLAG_GRANT_WRITE_URI_PERMISSION | - Intent.FLAG_GRANT_READ_URI_PERMISSION); - } - activityIntent.setFlags(Intent.FLAG_ACTIVITY_NEW_TASK); - activityIntent.setFlags(Intent.FLAG_GRANT_READ_URI_PERMISSION); - activityIntent.setFlags(Intent.FLAG_GRANT_WRITE_URI_PERMISSION); + activityIntent.addFlags(Intent.FLAG_GRANT_READ_URI_PERMISSION); try { if (V) Log.d(TAG, "ACTION_VIEW intent sent out: " + path + " / " + mimetype); |