WifiInstaller: remove the installation file
Previously, the installation file deletion was done by the parsing
function WifiManager#buildWifiConfig. This results in a security
vulnerability with the parsing function since the caller can use
that function to delete arbitrary files.
The underlying API used by WifiManager#buildWifiConfig is updated
to not perform the file deletion. So as the caller of that API,
we are responsible for deleting the installation file.
Bug: 33178389
Test: Verify passpoint configuration installation works using shamu
Change-Id: I3b88347c86dcb213033b5aa76e7e19a5524bee05
(cherry picked from commit bfd17d2ab2be44f9827bcbb4d57833698813f79b)
diff --git a/src/com/android/certinstaller/WiFiInstaller.java b/src/com/android/certinstaller/WiFiInstaller.java
index 889c760..728c8ec 100644
--- a/src/com/android/certinstaller/WiFiInstaller.java
+++ b/src/com/android/certinstaller/WiFiInstaller.java
@@ -7,6 +7,7 @@
import android.content.DialogInterface;
import android.content.Intent;
import android.content.res.Resources;
+import android.net.Uri;
import android.net.wifi.WifiConfiguration;
import android.net.wifi.WifiEnterpriseConfig;
import android.net.wifi.WifiManager;
@@ -19,6 +20,7 @@
import android.widget.TextView;
import android.widget.Toast;
import android.os.AsyncTask;
+import android.provider.DocumentsContract;
import java.security.PrivateKey;
import java.security.interfaces.RSAPrivateKey;
@@ -53,6 +55,7 @@
mWifiManager = (WifiManager) getSystemService(Context.WIFI_SERVICE);
mWifiConfiguration = mWifiManager.buildWifiConfig(uriString, mimeType, data);
+ dropFile(Uri.parse(uriString), getApplicationContext());
if (mWifiConfiguration != null) {
WifiEnterpriseConfig enterpriseConfig = mWifiConfiguration.enterpriseConfig;
@@ -195,4 +198,18 @@
}
builder.create().show();
}
+
+ /**
+ * Delete the file specified by the given URI.
+ *
+ * @param uri The URI of the file
+ * @param context The context of the current application
+ */
+ private static void dropFile(Uri uri, Context context) {
+ if (DocumentsContract.isDocumentUri(context, uri)) {
+ DocumentsContract.deleteDocument(context.getContentResolver(), uri);
+ } else {
+ context.getContentResolver().delete(uri, null, null);
+ }
+ }
}