DO NOT MERGE. Use resolved path when inserting and deleting.
Jeff Sharkey [Tue, 16 Feb 2016 22:47:03 +0000 (15:47 -0700)]
This avoids a race condition where someone can change a symlink
target after the security checks have passed.

Bug: 26211054
Change-Id: I40ed6d2298e4b66b4f7a055e68d9820515adf351

src/com/android/providers/downloads/DownloadProvider.java

index 620085f..d9acc78 100644 (file)
@@ -715,7 +715,13 @@ public final class DownloadProvider extends ContentProvider {
             throw new IllegalArgumentException("Invalid file URI: " + uri);
         }
 
-        final File file = new File(path);
+        final File file;
+        try {
+            file = new File(path).getCanonicalFile();
+        } catch (IOException e) {
+            throw new SecurityException(e);
+        }
+
         if (Helpers.isFilenameValidInExternalPackage(getContext(), file, getCallingPackage())) {
             // No permissions required for paths belonging to calling package
             return;
@@ -1191,10 +1197,14 @@ public final class DownloadProvider extends ContentProvider {
 
                         final String path = cursor.getString(1);
                         if (!TextUtils.isEmpty(path)) {
-                            final File file = new File(path);
-                            if (Helpers.isFilenameValid(getContext(), file)) {
-                                Log.v(Constants.TAG, "Deleting " + file + " via provider delete");
-                                file.delete();
+                            try {
+                                final File file = new File(path).getCanonicalFile();
+                                if (Helpers.isFilenameValid(getContext(), file)) {
+                                    Log.v(Constants.TAG,
+                                            "Deleting " + file + " via provider delete");
+                                    file.delete();
+                                }
+                            } catch (IOException ignored) {
                             }
                         }
                     }