Validate restored file paths against their nominal domain (0cb27e28) · Commits · e / os / android_frameworks_base

core/java/android/app/backup/BackupAgent.java

+19 −9

Original line number	Diff line number	Diff line
		@@ -440,22 +440,32 @@ public abstract class BackupAgent extends ContextWrapper {
		basePath = getCacheDir().getCanonicalPath();
		} else {
		// Not a supported location
		Log.i(TAG, "Data restored from non-app domain " + domain + ", ignoring");
		Log.i(TAG, "Unrecognized domain " + domain);
		}

		// Now that we've figured out where the data goes, send it on its way
		if (basePath != null) {
		// Canonicalize the nominal path and verify that it lies within the stated domain
		File outFile = new File(basePath, path);
		if (DEBUG) Log.i(TAG, "[" + domain + " : " + path + "] mapped to " + outFile.getPath());
		String outPath = outFile.getCanonicalPath();
		if (outPath.startsWith(basePath + File.separatorChar)) {
		if (DEBUG) Log.i(TAG, "[" + domain + " : " + path + "] mapped to " + outPath);
		onRestoreFile(data, size, outFile, type, mode, mtime);
		return;
		} else {
		// Not a supported output location? We need to consume the data
		// Attempt to restore to a path outside the file's nominal domain.
		if (DEBUG) {
		Log.e(TAG, "Cross-domain restore attempt: " + outPath);
		}
		}
		}

		// Not a supported output location, or bad path: we need to consume the data
		// anyway, so just use the default "copy the data out" implementation
		// with a null destination.
		if (DEBUG) Log.i(TAG, "[ skipping data from unsupported domain " + domain + "]");
		if (DEBUG) Log.i(TAG, "[ skipping file " + path + "]");
		FullBackup.restoreFile(data, size, type, mode, mtime, null);
		}
		}

		// ----- Core implementation -----