diff options
author | Jake Klinker <jklinker@google.com> | 2023-05-08 23:07:07 +0000 |
---|---|---|
committer | Jake Klinker <jklinker@google.com> | 2023-05-09 14:00:39 +0000 |
commit | 0d5452146c58aa9b938daffc88f8b03eb9aee58b (patch) | |
tree | 659680dd26ead01c4e43c4f367e19487ca48f378 | |
parent | c51c783a466a53fd99412799f972b023bcb0a337 (diff) | |
download | Messaging-0d5452146c58aa9b938daffc88f8b03eb9aee58b.tar.gz |
Fix exposing private messages files through attachments with a content URI.
Change-Id: I30b2a06c67af4a347d03c7504d13b9b9365acafd
Tested: Was no longer able to repro b/275552292.
Bug: 275552292
-rw-r--r-- | src/com/android/messaging/util/FileUtil.java | 25 |
1 files changed, 25 insertions, 0 deletions
diff --git a/src/com/android/messaging/util/FileUtil.java b/src/com/android/messaging/util/FileUtil.java index 71fbb4b..e7d86f2 100644 --- a/src/com/android/messaging/util/FileUtil.java +++ b/src/com/android/messaging/util/FileUtil.java @@ -20,6 +20,7 @@ import android.content.ContentResolver; import android.content.Context; import android.net.Uri; import android.os.Environment; +import android.os.ParcelFileDescriptor; import android.text.TextUtils; import com.android.messaging.Factory; @@ -28,6 +29,8 @@ import com.google.common.io.Files; import java.io.File; import java.io.IOException; +import java.nio.file.Path; +import java.nio.file.Paths; import java.text.SimpleDateFormat; import java.util.Date; import java.util.Locale; @@ -121,6 +124,10 @@ public class FileUtil { // We're told it's possible to create world readable hardlinks to other apps private data // so we ban all /data file uris. public static boolean isInPrivateDir(Uri uri) { + return isFileUriInPrivateDir(uri) || isContentUriInPrivateDir(uri); + } + + private static boolean isFileUriInPrivateDir(Uri uri) { if (!UriUtil.isFileUri(uri)) { return false; } @@ -128,6 +135,24 @@ public class FileUtil { return FileUtil.isSameOrSubDirectory(Environment.getDataDirectory(), file); } + private static boolean isContentUriInPrivateDir(Uri uri) { + if (!uri.getScheme().equals(ContentResolver.SCHEME_CONTENT)) { + return false; + } + try { + Context context = Factory.get().getApplicationContext(); + ParcelFileDescriptor pfd = context.getContentResolver().openFileDescriptor(uri, "r"); + int fd = pfd.getFd(); + // Use the file descriptor to find out the read file path through symbolic link. + Path fdPath = Paths.get("/proc/self/fd/" + fd); + Path filePath = java.nio.file.Files.readSymbolicLink(fdPath); + pfd.close(); + return FileUtil.isSameOrSubDirectory(Environment.getDataDirectory(), filePath.toFile()); + } catch (Exception e) { + return false; + } + } + /** * Checks, whether the child directory is the same as, or a sub-directory of the base * directory. |