Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 63d8ee55 authored by Varun Shah's avatar Varun Shah Committed by Markus S
Browse files

Don't allow read truncation or appending for file operations. 

If a caller attempts to read a file with the truncation or append
bits and doesn't specify the write bit as well, silently drop the
invalid bits to prevent unintended changes.

Bug: 414387646
Test: atest CtsContentProviderTestCases
Flag: EXEMPT security fix
(cherry picked from commit f8099b06)
Cherrypick-From: https://googleplex-android-review.googlesource.com/q/commit:fc0dcc7ca0fd102d61bef8bd41d9a037bd49f6dd
Merged-In: I1a8993d99d1f381e1122b304d223a5c10e4578ce
Change-Id: I1a8993d99d1f381e1122b304d223a5c10e4578ce
parent 6e81e69f

core/java/android/content/ContentProvider.java

+22 −2
Original line number Diff line number Diff line
@@ -385,11 +385,12 @@ public abstract class ContentProvider implements ComponentCallbacks2 { 
                throws FileNotFoundException {

            uri = validateIncomingUri(uri);

            uri = maybeGetUriWithoutUserId(uri);

            enforceFilePermission(callingPkg, uri, mode, null);

            final String updateMode = validateFileMode(mode);

            enforceFilePermission(callingPkg, uri, updateMode, null);

            final String original = setCallingPackage(callingPkg);

            try {

                return ContentProvider.this.openAssetFile(

                        uri, mode, CancellationSignal.fromTransport(cancellationSignal));

                        uri, updateMode, CancellationSignal.fromTransport(cancellationSignal));

            } finally {

                setCallingPackage(original);

            }
@@ -484,6 +485,25 @@ public abstract class ContentProvider implements ComponentCallbacks2 { 
            }

        }



        private String validateFileMode(String mode) {

            // We currently only support the following modes: r, w, wt, wa, rw, rwt

            // Note: ideally, we should check against the allowed modes and throw a

            // SecurityException if the mode doesn't match any of them but to avoid app compat

            // issues, we're silently dropping bits which allow modifying files when the write bit

            // is not specified.

            if (mode != null && mode.indexOf('w') == -1) {

                // Don't allow truncation without write

                if (mode.indexOf('t') != -1) {

                    mode = mode.replace("t", "");

                }

                // Don't allow appending without write

                if (mode.indexOf('a') != -1) {

                    mode = mode.replace("a", "");

                }

            }

            return mode;

        }



        private void enforceFilePermission(String callingPkg, Uri uri, String mode,

                IBinder callerToken) throws FileNotFoundException, SecurityException {

            if (mode != null && mode.indexOf('w') != -1) {