Use resolved path for both checking and opening.
Jeff Sharkey [Sun, 7 Feb 2016 20:05:09 +0000 (13:05 -0700)]
This avoids a race condition where someone can change a symlink
target after the security checks have passed.

Bug: 26211054
Change-Id: I5e1a2343d631109c21a4c5b2d8d00b2946756680

src/com/android/providers/downloads/DownloadProvider.java
src/com/android/providers/downloads/Helpers.java

index 94e5a99..78b4294 100644 (file)
@@ -715,7 +715,13 @@ public final class DownloadProvider extends ContentProvider {
             throw new IllegalArgumentException("Invalid file URI: " + uri);
         }
 
-        final File file = new File(path);
+        final File file;
+        try {
+            file = new File(path).getCanonicalFile();
+        } catch (IOException e) {
+            throw new SecurityException(e);
+        }
+
         if (Helpers.isFilenameValidInExternalPackage(getContext(), file, getCallingPackage())) {
             // No permissions required for paths belonging to calling package
             return;
@@ -1191,10 +1197,14 @@ public final class DownloadProvider extends ContentProvider {
 
                         final String path = cursor.getString(1);
                         if (!TextUtils.isEmpty(path)) {
-                            final File file = new File(path);
-                            if (Helpers.isFilenameValid(getContext(), file)) {
-                                Log.v(Constants.TAG, "Deleting " + file + " via provider delete");
-                                file.delete();
+                            try {
+                                final File file = new File(path).getCanonicalFile();
+                                if (Helpers.isFilenameValid(getContext(), file)) {
+                                    Log.v(Constants.TAG,
+                                            "Deleting " + file + " via provider delete");
+                                    file.delete();
+                                }
+                            } catch (IOException ignored) {
                             }
                         }
                     }
@@ -1260,7 +1270,13 @@ public final class DownloadProvider extends ContentProvider {
             throw new FileNotFoundException("No filename found.");
         }
 
-        final File file = new File(path);
+        final File file;
+        try {
+            file = new File(path).getCanonicalFile();
+        } catch (IOException e) {
+            throw new FileNotFoundException(e.getMessage());
+        }
+
         if (!Helpers.isFilenameValid(getContext(), file)) {
             throw new FileNotFoundException("Invalid file: " + file);
         }
index d1cc545..d01cbff 100644 (file)
@@ -357,8 +357,6 @@ public class Helpers {
     static boolean isFilenameValidInExternalPackage(Context context, File file,
             String packageName) {
         try {
-            file = file.getCanonicalFile();
-
             if (containsCanonical(buildExternalStorageAppFilesDirs(packageName), file) ||
                     containsCanonical(buildExternalStorageAppObbDirs(packageName), file) ||
                     containsCanonical(buildExternalStorageAppCacheDirs(packageName), file) ||
@@ -380,8 +378,6 @@ public class Helpers {
      */
     static boolean isFilenameValid(Context context, File file, boolean allowInternal) {
         try {
-            file = file.getCanonicalFile();
-
             if (allowInternal) {
                 if (containsCanonical(context.getFilesDir(), file)
                         || containsCanonical(context.getCacheDir(), file)