Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Unverified Commit 15cc3c7b authored by Kevin F. Haggerty's avatar Kevin F. Haggerty
Browse files

Merge tag 'android-security-8.1.0_r90' into staging/lineage-15.1_merge_android-security-8.1.0_r90 

Android security 8.1.0 release 90

* tag 'android-security-8.1.0_r90':
  Protect MAP Client message broadcasts with RECEIVE_SMS permission
  Forbid content from MmsFileProvider in Bluetooth Share

Change-Id: Ie0f1f2988ce85af2170d006f89bf3416e76637a8
parents 587eedaf f5803085

src/com/android/bluetooth/mapclient/MceStateMachine.java

+7 −1
Original line number Diff line number Diff line
@@ -55,6 +55,7 @@ import android.net.Uri; 
import android.os.Message;

import android.os.ParcelUuid;

import android.provider.ContactsContract;

import android.provider.Telephony;

import android.telecom.PhoneAccount;

import android.util.Log;
@@ -528,7 +529,12 @@ final class MceStateMachine extends StateMachine { 
                        intent.putExtra(BluetoothMapClient.EXTRA_SENDER_CONTACT_NAME,

                                originator.getDisplayName());

                    }

                    mService.sendBroadcast(intent);

                    // Only send to the current default SMS app if one exists

                    String defaultMessagingPackage = Telephony.Sms.getDefaultSmsPackage(mService);

                    if (defaultMessagingPackage != null) {

                        intent.setPackage(defaultMessagingPackage);

                    }

                    mService.sendBroadcast(intent, android.Manifest.permission.RECEIVE_SMS);

                    break;



                case MMS:

src/com/android/bluetooth/opp/BluetoothOppSendFileInfo.java

+6 −0
Original line number Diff line number Diff line
@@ -108,6 +108,12 @@ public class BluetoothOppSendFileInfo { 
        // This will allow more 3rd party applications to share files via

        // bluetooth

        if ("content".equals(scheme)) {

            if (fromExternal && BluetoothOppUtility.isForbiddenContent(uri)) {

                EventLog.writeEvent(0x534e4554, "179910660", -1, uri.toString());

                Log.e(TAG, "Content from forbidden URI is not allowed.");

                return SEND_FILE_INFO_ERROR;

            }



            contentType = contentResolver.getType(uri);

            Cursor metadataCursor;

            try {

src/com/android/bluetooth/opp/BluetoothOppUtility.java

+7 −0
Original line number Diff line number Diff line
@@ -372,6 +372,13 @@ public class BluetoothOppUtility { 
        return isSameOrSubDirectory(Environment.getExternalStorageDirectory(), file);

    }



    static boolean isForbiddenContent(Uri uri) {

        if ("com.android.bluetooth.map.MmsFileProvider".equals(uri.getHost())) {

            return true;

        }

        return false;

    }



    /**

     * Checks, whether the child directory is the same as, or a sub-directory of the base

     * directory. Neither base nor child should be null.