mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2024-12-15 10:54:27 -05:00
bcfba01d60
Signed-off-by: Tavi <tavi@divested.dev>
52 lines
2.8 KiB
Diff
52 lines
2.8 KiB
Diff
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
From: Omar Eissa <oeissa@google.com>
|
|
Date: Mon, 15 Apr 2024 12:04:56 +0000
|
|
Subject: [PATCH] Prevent insertion in other users storage volumes
|
|
|
|
Don't allow file insertion in other users storage volumes.
|
|
This was already handled if DATA was explicitly set in content values,
|
|
but was allowed if DATA was generated based on other values like RELATIVE_PATH and DISPLAY_NAME.
|
|
|
|
Insertion of files in other users storage volumes can be used by malicious apps
|
|
to get access to other users files, since the same file would exist in both users MP databases
|
|
which would lead to MP falsely assuming that the user has access to this file.
|
|
|
|
Bug: 294406604
|
|
Test: atest MediaProviderTests
|
|
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:df39f8486b25473d0bdbeed896ad917e3c793bf9)
|
|
Merged-In: Ie219bbdbe28819421040e4c083b65ab47d8ebde6
|
|
Change-Id: Ie219bbdbe28819421040e4c083b65ab47d8ebde6
|
|
---
|
|
src/com/android/providers/media/MediaProvider.java | 1 +
|
|
tests/src/com/android/providers/media/MediaProviderTest.java | 5 ++---
|
|
2 files changed, 3 insertions(+), 3 deletions(-)
|
|
|
|
diff --git a/src/com/android/providers/media/MediaProvider.java b/src/com/android/providers/media/MediaProvider.java
|
|
index 5b3a8c41e..a01ba34c6 100644
|
|
--- a/src/com/android/providers/media/MediaProvider.java
|
|
+++ b/src/com/android/providers/media/MediaProvider.java
|
|
@@ -2652,6 +2652,7 @@ public class MediaProvider extends ContentProvider {
|
|
|
|
FileUtils.sanitizeValues(values, /*rewriteHiddenFileName*/ !isFuseThread());
|
|
FileUtils.computeDataFromValues(values, volumePath, isFuseThread());
|
|
+ assertFileColumnsSane(match, uri, values);
|
|
|
|
// Create result file
|
|
File res = new File(values.getAsString(MediaColumns.DATA));
|
|
diff --git a/tests/src/com/android/providers/media/MediaProviderTest.java b/tests/src/com/android/providers/media/MediaProviderTest.java
|
|
index 83b722e07..b865f28e2 100644
|
|
--- a/tests/src/com/android/providers/media/MediaProviderTest.java
|
|
+++ b/tests/src/com/android/providers/media/MediaProviderTest.java
|
|
@@ -316,9 +316,8 @@ public class MediaProviderTest {
|
|
@Test
|
|
public void testInsertionWithInvalidFilePath_throwsIllegalArgumentException() {
|
|
final ContentValues values = new ContentValues();
|
|
- values.put(MediaStore.MediaColumns.RELATIVE_PATH, "Android/media/com.example");
|
|
- values.put(MediaStore.Images.Media.DISPLAY_NAME,
|
|
- "./../../../../../../../../../../../data/media/test.txt");
|
|
+ values.put(MediaStore.MediaColumns.RELATIVE_PATH, "Android/media/com.example/");
|
|
+ values.put(MediaStore.Images.Media.DISPLAY_NAME, "data/media/test.txt");
|
|
|
|
assertThrows(
|
|
IllegalArgumentException.class, () -> sIsolatedResolver.insert(
|