diff options
| author | Billy Huang <billyhuang@google.com> | 2024-10-02 14:45:37 -0700 |
|---|---|---|
| committer | aoleary <seanm187@gmail.com> | 2025-02-21 09:44:32 +0000 |
| commit | 5a9f302d26d4fc3d6cc18c2456c550cb4464009e (patch) | |
| tree | 066387ed4ef080cd0c5b587e5e9a848e53293f08 | |
| parent | b464ffae33916e0ecc0250252b23c2dc55771448 (diff) | |
RESTRICT AUTOMERGE backport "opp: validate that content uri belongs to current user"
Bug: 296915500
Flag: EXEMPT trivial fix with complete testing coverage
Test: atest GoogleBluetoothInstrumentationTests:BluetoothOppSendFileInfoTest
Ignore-AOSP-First: fix for undisclosed vulnerability
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:5bcfd347823f1d3893d843db2286f2013923fad8)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:d2e609af40232d899621465e5cd7eeb670476240)
Merged-In: Ibff36089bfde4b5bb28d797aeae1423b668943a2
Change-Id: Ibff36089bfde4b5bb28d797aeae1423b668943a2
Change-Id: Ia60fee2666c45180a97e1a17e6f73f3c67f12856
| -rw-r--r-- | android/app/src/com/android/bluetooth/opp/BluetoothOppSendFileInfo.java | 15 |
1 files changed, 15 insertions, 0 deletions
diff --git a/android/app/src/com/android/bluetooth/opp/BluetoothOppSendFileInfo.java b/android/app/src/com/android/bluetooth/opp/BluetoothOppSendFileInfo.java index 2adb8e5f44..7ce134341a 100644 --- a/android/app/src/com/android/bluetooth/opp/BluetoothOppSendFileInfo.java +++ b/android/app/src/com/android/bluetooth/opp/BluetoothOppSendFileInfo.java @@ -32,6 +32,8 @@ package com.android.bluetooth.opp; +import static android.os.UserHandle.myUserId; + import android.content.ContentResolver; import android.content.Context; import android.content.res.AssetFileDescriptor; @@ -39,6 +41,7 @@ import android.database.Cursor; import android.database.sqlite.SQLiteException; import android.net.Uri; import android.provider.OpenableColumns; +import android.text.TextUtils; import android.util.EventLog; import android.util.Log; @@ -49,6 +52,7 @@ import java.io.File; import java.io.FileInputStream; import java.io.FileNotFoundException; import java.io.IOException; +import java.util.Objects; /** * This class stores information about a single sending file It will only be @@ -117,6 +121,11 @@ public class BluetoothOppSendFileInfo { return SEND_FILE_INFO_ERROR; } + if (isContentUriForOtherUser(uri)) { + Log.e(TAG, "Uri: " + uri + " is invalid for user " + myUserId()); + return SEND_FILE_INFO_ERROR; + } + contentType = contentResolver.getType(uri); Cursor metadataCursor; try { @@ -253,6 +262,12 @@ public class BluetoothOppSendFileInfo { return new BluetoothOppSendFileInfo(fileName, contentType, length, is, 0); } + private static boolean isContentUriForOtherUser(Uri uri) { + String uriUserId = uri.getUserInfo(); + return !TextUtils.isEmpty(uriUserId) + && !Objects.equals(uriUserId, String.valueOf(myUserId())); + } + private static long getStreamSize(FileInputStream is) throws IOException { long length = 0; byte[] unused = new byte[4096]; |