Limit account id and id to longsandroid-7.0.0_r35 android-7.0.0_r34 android-7.0.0_r33 android-7.0.0_r32 android-7.0.0_r31 android-7.0.0_r30 android-7.0.0_r29 android-7.0.0_r28 android-7.0.0_r27 android-7.0.0_r24 android-7.0.0_r21 android-7.0.0_r19 android-7.0.0_r17 android-7.0.0_r14 android-7.0.0_r13 android-7.0.0_r12 nougat-bugfix-release

The security issue occurs because id is allowed to be an arbitrary path instead of being limited to what it is -- a long. Both id and account id are now parsed into longs (and if either fails, an error will be logged and null will be returned). Tested/verified error is logged using the reported attack. BUG=30745403 Change-Id: Ia21418545bbaeb96fb5ab6c3f4e71858e57b8684 (cherry picked from commit 9794d7e8216138adf143a3b6faf3d5683316a662)
author: Rohan Shah <shahrk@google.com> 2016-08-17 11:23:26 -0700
committer: gitbuildkicker <android-build@google.com> 2016-08-31 22:21:22 -0700
commit: 19df2a48cf356e63639bedcfec7b823f11c14020 (patch)
tree: ca0ddef78980f66a5266276dd8fbfbf9ff75ce2d
parent: 9dd215892b3ebe94c4df1c92b68e4a08abc5c660 (diff)
download: Email-android-7.0.0_r17.tar.gz
1 files changed, 9 insertions, 5 deletions
diff --git a/provider_src/com/android/email/provider/AttachmentProvider.java b/provider_src/com/android/email/provider/AttachmentProvider.java
index c64fb4e4c..0abed9712 100644
--- a/provider_src/com/android/email/provider/AttachmentProvider.java
+++ b/provider_src/com/android/email/provider/AttachmentProvider.java
@@ -166,8 +166,8 @@ public class AttachmentProvider extends ContentProvider {
         long callingId = Binder.clearCallingIdentity();
         try {
             List<String> segments = uri.getPathSegments();
-            String accountId = segments.get(0);
-            String id = segments.get(1);
+            final long accountId = Long.parseLong(segments.get(0));
+            final long id = Long.parseLong(segments.get(1));
             String format = segments.get(2);
             if (AttachmentUtilities.FORMAT_THUMBNAIL.equals(format)) {
                 int width = Integer.parseInt(segments.get(3));
@@ -176,8 +176,7 @@ public class AttachmentProvider extends ContentProvider {
                 File dir = getContext().getCacheDir();
                 File file = new File(dir, filename);
                 if (!file.exists()) {
-                    Uri attachmentUri = AttachmentUtilities.
-                        getAttachmentUri(Long.parseLong(accountId), Long.parseLong(id));
+                    Uri attachmentUri = AttachmentUtilities.getAttachmentUri(accountId, id);
                     Cursor c = query(attachmentUri,
                             new String[] { Columns.DATA }, null, null, null);
                     if (c != null) {
@@ -218,9 +217,14 @@ public class AttachmentProvider extends ContentProvider {
             }
             else {
                 return ParcelFileDescriptor.open(
-                        new File(getContext().getDatabasePath(accountId + ".db_att"), id),
+                        new File(getContext().getDatabasePath(accountId + ".db_att"),
+                                String.valueOf(id)),
                         ParcelFileDescriptor.MODE_READ_ONLY);
             }
+        } catch (NumberFormatException e) {
+            LogUtils.e(Logging.LOG_TAG,
+                    "AttachmentProvider.openFile: Failed to open as id is not a long");
+            return null;
         } finally {
             Binder.restoreCallingIdentity(callingId);
         }
author	Rohan Shah <shahrk@google.com>	2016-08-17 11:23:26 -0700
committer	gitbuildkicker <android-build@google.com>	2016-08-31 22:21:22 -0700
commit	19df2a48cf356e63639bedcfec7b823f11c14020 (patch)
tree	ca0ddef78980f66a5266276dd8fbfbf9ff75ce2d
parent	9dd215892b3ebe94c4df1c92b68e4a08abc5c660 (diff)
download	Email-android-7.0.0_r17.tar.gz