commit 27f6c4a24c91ba2fa143b6bdfbed3066827719bb
author Peter Qiu <zqiu@google.com> Mon Dec 12 13:50:01 2016 -0800
committer gitbuildkicker <android-build@google.com> Mon Jan 23 11:24:52 2017 -0800
tree d0c2005fab72174ed6bc92ed8b12663b44387ef2
parent bb716492f4a76cec57f9793fb719b1823cca21de

WifiInstaller: remove the installation file

Previously, the installation file deletion was done by the parsing
function WifiManager#buildWifiConfig.  This results in a security
vulnerability with the parsing function since the caller can use
that function to delete arbitrary files.

The underlying API used by WifiManager#buildWifiConfig is updated
to not perform the file deletion.  So as the caller of that API,
we are responsible for deleting the installation file.

Bug: 33178389
Test: Verify passpoint configuration installation works using shamu
Change-Id: I3b88347c86dcb213033b5aa76e7e19a5524bee05
(cherry picked from commit bfd17d2ab2be44f9827bcbb4d57833698813f79b)

src/com/android/certinstaller/WiFiInstaller.java

diff --git a/src/com/android/certinstaller/WiFiInstaller.java b/src/com/android/certinstaller/WiFiInstaller.java
index 889c760..728c8ec 100644
--- a/src/com/android/certinstaller/WiFiInstaller.java
+++ b/src/com/android/certinstaller/WiFiInstaller.java
@@ -7,6 +7,7 @@
 import android.content.DialogInterface;
 import android.content.Intent;
 import android.content.res.Resources;
+import android.net.Uri;
 import android.net.wifi.WifiConfiguration;
 import android.net.wifi.WifiEnterpriseConfig;
 import android.net.wifi.WifiManager;
@@ -19,6 +20,7 @@
 import android.widget.TextView;
 import android.widget.Toast;
 import android.os.AsyncTask;
+import android.provider.DocumentsContract;
 
 import java.security.PrivateKey;
 import java.security.interfaces.RSAPrivateKey;
@@ -53,6 +55,7 @@
 
         mWifiManager = (WifiManager) getSystemService(Context.WIFI_SERVICE);
         mWifiConfiguration = mWifiManager.buildWifiConfig(uriString, mimeType, data);
+        dropFile(Uri.parse(uriString), getApplicationContext());
 
         if (mWifiConfiguration != null) {
             WifiEnterpriseConfig enterpriseConfig = mWifiConfiguration.enterpriseConfig;
@@ -195,4 +198,18 @@
         }
         builder.create().show();
     }
+
+    /**
+     * Delete the file specified by the given URI.
+     *
+     * @param uri The URI of the file
+     * @param context The context of the current application
+     */
+    private static void dropFile(Uri uri, Context context) {
+        if (DocumentsContract.isDocumentUri(context, uri)) {
+            DocumentsContract.deleteDocument(context.getContentResolver(), uri);
+        } else {
+            context.getContentResolver().delete(uri, null, null);
+        }
+    }
 }