Gitiles
Code Review Sign In
review.shift-gmbh.com / SHIFTPHONES / android_packages_providers_MediaProvider / f47a24a158250ab960758d8a35d403ca31c6869e
commitf47a24a158250ab960758d8a35d403ca31c6869e[log] [tgz]
authorOmar Eissa <oeissa@google.com>Mon Apr 15 12:04:56 2024 +0000
committerAndroid Build Coastguard Worker <android-build-coastguard-worker@google.com>Wed May 08 21:07:06 2024 +0000
treed7d6355a1d37a5311b5a5f1d4e4a3b2e985b10e2
parentfcafcd70231d609f17b3f990ba0bf8b2ea9f7376 [diff]
Prevent insertion in other users storage volumes

Don't allow file insertion in other users storage volumes.
This was already handled if DATA was explicitly set in content values,
but was allowed if DATA was generated based on other values like RELATIVE_PATH and DISPLAY_NAME.

Insertion of files in other users storage volumes can be used by malicious apps
to get access to other users files, since the same file would exist in both users MP databases
which would lead to MP falsely assuming that the user has access to this file.

Bug: 294406604
Test: atest MediaProviderTests
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:df39f8486b25473d0bdbeed896ad917e3c793bf9)
Merged-In: Ie219bbdbe28819421040e4c083b65ab47d8ebde6
Change-Id: Ie219bbdbe28819421040e4c083b65ab47d8ebde6
2 files changed
tree: d7d6355a1d37a5311b5a5f1d4e4a3b2e985b10e2
  1. apex/
  2. errorprone/
  3. jni/
  4. legacy/
  5. res/
  6. src/
  7. tests/
  8. tools/
  9. .clang-format
  10. .gitignore
  11. Android.bp
  12. AndroidManifest.xml
  13. CleanSpec.mk
  14. deploy.sh
  15. gen_strings.py
  16. jarjar-rules.txt
  17. logging.sh
  18. OWNERS
  19. preinstalled-packages-com.android.providers.media.module.xml
  20. PREUPLOAD.cfg
  21. proguard.flags
  22. sqlite3.sh
  23. TEST_MAPPING
  24. trace.sh
  25. transcode.sh