DO NOT MERGE. Use resolved path when inserting and deleting.
This avoids a race condition where someone can change a symlink
target after the security checks have passed.
Bug: 26211054
Change-Id: I03b06b746fde5d08d6b61a7011bdace0b4e9fa77
diff --git a/src/com/android/providers/downloads/DownloadProvider.java b/src/com/android/providers/downloads/DownloadProvider.java
index 620085f..d9acc78 100644
--- a/src/com/android/providers/downloads/DownloadProvider.java
+++ b/src/com/android/providers/downloads/DownloadProvider.java
@@ -715,7 +715,13 @@
throw new IllegalArgumentException("Invalid file URI: " + uri);
}
- final File file = new File(path);
+ final File file;
+ try {
+ file = new File(path).getCanonicalFile();
+ } catch (IOException e) {
+ throw new SecurityException(e);
+ }
+
if (Helpers.isFilenameValidInExternalPackage(getContext(), file, getCallingPackage())) {
// No permissions required for paths belonging to calling package
return;
@@ -1191,10 +1197,14 @@
final String path = cursor.getString(1);
if (!TextUtils.isEmpty(path)) {
- final File file = new File(path);
- if (Helpers.isFilenameValid(getContext(), file)) {
- Log.v(Constants.TAG, "Deleting " + file + " via provider delete");
- file.delete();
+ try {
+ final File file = new File(path).getCanonicalFile();
+ if (Helpers.isFilenameValid(getContext(), file)) {
+ Log.v(Constants.TAG,
+ "Deleting " + file + " via provider delete");
+ file.delete();
+ }
+ } catch (IOException ignored) {
}
}
}