From a062609478ba61d2b015ea4eaee550f7c4a31c9f Mon Sep 17 00:00:00 2001 From: Omar Eissa Date: Tue, 27 Aug 2024 13:24:21 +0000 Subject: [PATCH] Prevent apps from renaming files they don't own Malicious apps could rename files in lower file system using MediaProvider.update even if they don't have access to such files. They weren't able to update the DB of MediaProvider, but by renaming such files they could create fake records in MediaProvider DB and then rename the file to have the same name as their created record, which would allow them to access these files. IMAGES_MEDIA_ID, AUDIO_MEDIA_ID and VIDEO_MEDIA_ID URIs were already guaraded against this vulnerability and the aim of this fix to fix it for all other Media URIs. Bug: 304280682 Flag: EXEMPT bug fix Test: Manual (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:191ae46fed057cb96f78d8f140f90f0cec50a797) Merged-In: I91e9966c012fe292cebc0b544f77032613516fac Change-Id: I91e9966c012fe292cebc0b544f77032613516fac --- src/com/android/providers/media/MediaProvider.java | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/com/android/providers/media/MediaProvider.java b/src/com/android/providers/media/MediaProvider.java index a01ba34c6..c15193414 100644 --- a/src/com/android/providers/media/MediaProvider.java +++ b/src/com/android/providers/media/MediaProvider.java @@ -5351,6 +5351,8 @@ && getCallingPackageTargetSdkVersion() <= Build.VERSION_CODES.Q) { case IMAGES_MEDIA_ID: case DOWNLOADS_ID: case FILES_ID: + // Check if the caller has the required permissions to do placement + enforceCallingPermission(uri, extras, true); break; default: throw new IllegalArgumentException("Movement of " + uri