Use resolved path for both checking and opening.
This avoids a race condition where someone can change a symlink
target after the security checks have passed.
Bug: 26211054
Change-Id: I5842aaecc7b7d417a3b1902957b59b8a1f3c1ccb
diff --git a/src/com/android/providers/downloads/DownloadProvider.java b/src/com/android/providers/downloads/DownloadProvider.java
index 4b23024..2d914c4 100644
--- a/src/com/android/providers/downloads/DownloadProvider.java
+++ b/src/com/android/providers/downloads/DownloadProvider.java
@@ -1230,9 +1230,15 @@
throw new FileNotFoundException("No filename found.");
}
- final File file = new File(path);
+ final File file;
+ try {
+ file = new File(path).getCanonicalFile();
+ } catch (IOException e) {
+ throw new FileNotFoundException(e.getMessage());
+ }
+
if (!Helpers.isFilenameValid(getContext(), file)) {
- throw new FileNotFoundException("Invalid file: " + file);
+ throw new FileNotFoundException("Invalid file path: " + file);
}
final int pfdMode = ParcelFileDescriptor.parseMode(mode);
diff --git a/src/com/android/providers/downloads/Helpers.java b/src/com/android/providers/downloads/Helpers.java
index 0aa49c0..1b4c911 100644
--- a/src/com/android/providers/downloads/Helpers.java
+++ b/src/com/android/providers/downloads/Helpers.java
@@ -341,7 +341,6 @@
static boolean isFilenameValid(Context context, File file) {
final File[] whitelist;
try {
- file = file.getCanonicalFile();
whitelist = new File[] {
context.getFilesDir().getCanonicalFile(),
context.getCacheDir().getCanonicalFile(),
