From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Omar Eissa Date: Mon, 15 Apr 2024 12:04:56 +0000 Subject: [PATCH] Prevent insertion in other users storage volumes Don't allow file insertion in other users storage volumes. This was already handled if DATA was explicitly set in content values, but was allowed if DATA was generated based on other values like RELATIVE_PATH and DISPLAY_NAME. Insertion of files in other users storage volumes can be used by malicious apps to get access to other users files, since the same file would exist in both users MP databases which would lead to MP falsely assuming that the user has access to this file. Bug: 294406604 Test: atest MediaProviderTests (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:df39f8486b25473d0bdbeed896ad917e3c793bf9) Merged-In: Ie219bbdbe28819421040e4c083b65ab47d8ebde6 Change-Id: Ie219bbdbe28819421040e4c083b65ab47d8ebde6 --- src/com/android/providers/media/MediaProvider.java | 1 + tests/src/com/android/providers/media/MediaProviderTest.java | 5 ++--- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/com/android/providers/media/MediaProvider.java b/src/com/android/providers/media/MediaProvider.java index 5b3a8c41e..a01ba34c6 100644 --- a/src/com/android/providers/media/MediaProvider.java +++ b/src/com/android/providers/media/MediaProvider.java @@ -2652,6 +2652,7 @@ public class MediaProvider extends ContentProvider { FileUtils.sanitizeValues(values, /*rewriteHiddenFileName*/ !isFuseThread()); FileUtils.computeDataFromValues(values, volumePath, isFuseThread()); + assertFileColumnsSane(match, uri, values); // Create result file File res = new File(values.getAsString(MediaColumns.DATA)); diff --git a/tests/src/com/android/providers/media/MediaProviderTest.java b/tests/src/com/android/providers/media/MediaProviderTest.java index 83b722e07..b865f28e2 100644 --- a/tests/src/com/android/providers/media/MediaProviderTest.java +++ b/tests/src/com/android/providers/media/MediaProviderTest.java @@ -316,9 +316,8 @@ public class MediaProviderTest { @Test public void testInsertionWithInvalidFilePath_throwsIllegalArgumentException() { final ContentValues values = new ContentValues(); - values.put(MediaStore.MediaColumns.RELATIVE_PATH, "Android/media/com.example"); - values.put(MediaStore.Images.Media.DISPLAY_NAME, - "./../../../../../../../../../../../data/media/test.txt"); + values.put(MediaStore.MediaColumns.RELATIVE_PATH, "Android/media/com.example/"); + values.put(MediaStore.Images.Media.DISPLAY_NAME, "data/media/test.txt"); assertThrows( IllegalArgumentException.class, () -> sIsolatedResolver.insert(