Use resolved path for both checking and opening.
This avoids a race condition where someone can change a symlink
target after the security checks have passed.
Bug: 26211054
Change-Id: I5842aaecc7b7d417a3b1902957b59b8a1f3c1ccb
(cherry picked from commit 6608eb8feedafab93b840c208a40aa6d6c755584)
diff --git a/src/com/android/providers/downloads/DownloadProvider.java b/src/com/android/providers/downloads/DownloadProvider.java
index 94e5a99..620085f 100644
--- a/src/com/android/providers/downloads/DownloadProvider.java
+++ b/src/com/android/providers/downloads/DownloadProvider.java
@@ -1260,9 +1260,15 @@
throw new FileNotFoundException("No filename found.");
}
- final File file = new File(path);
+ final File file;
+ try {
+ file = new File(path).getCanonicalFile();
+ } catch (IOException e) {
+ throw new FileNotFoundException(e.getMessage());
+ }
+
if (!Helpers.isFilenameValid(getContext(), file)) {
- throw new FileNotFoundException("Invalid file: " + file);
+ throw new FileNotFoundException("Invalid file path: " + file);
}
final int pfdMode = ParcelFileDescriptor.parseMode(mode);
diff --git a/src/com/android/providers/downloads/Helpers.java b/src/com/android/providers/downloads/Helpers.java
index d1cc545..d01cbff 100644
--- a/src/com/android/providers/downloads/Helpers.java
+++ b/src/com/android/providers/downloads/Helpers.java
@@ -357,8 +357,6 @@
static boolean isFilenameValidInExternalPackage(Context context, File file,
String packageName) {
try {
- file = file.getCanonicalFile();
-
if (containsCanonical(buildExternalStorageAppFilesDirs(packageName), file) ||
containsCanonical(buildExternalStorageAppObbDirs(packageName), file) ||
containsCanonical(buildExternalStorageAppCacheDirs(packageName), file) ||
@@ -380,8 +378,6 @@
*/
static boolean isFilenameValid(Context context, File file, boolean allowInternal) {
try {
- file = file.getCanonicalFile();
-
if (allowInternal) {
if (containsCanonical(context.getFilesDir(), file)
|| containsCanonical(context.getCacheDir(), file)