Gitiles
Code Review Sign In
review.shift-gmbh.com / SHIFTPHONES / android_packages_providers_MediaProvider / f47a24a158250ab960758d8a35d403ca31c6869e^! / .
commitf47a24a158250ab960758d8a35d403ca31c6869e[log] [tgz]
authorOmar Eissa <oeissa@google.com>Mon Apr 15 12:04:56 2024 +0000
committerAndroid Build Coastguard Worker <android-build-coastguard-worker@google.com>Wed May 08 21:07:06 2024 +0000
treed7d6355a1d37a5311b5a5f1d4e4a3b2e985b10e2
parentfcafcd70231d609f17b3f990ba0bf8b2ea9f7376 [diff]
Prevent insertion in other users storage volumes

Don't allow file insertion in other users storage volumes.
This was already handled if DATA was explicitly set in content values,
but was allowed if DATA was generated based on other values like RELATIVE_PATH and DISPLAY_NAME.

Insertion of files in other users storage volumes can be used by malicious apps
to get access to other users files, since the same file would exist in both users MP databases
which would lead to MP falsely assuming that the user has access to this file.

Bug: 294406604
Test: atest MediaProviderTests
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:df39f8486b25473d0bdbeed896ad917e3c793bf9)
Merged-In: Ie219bbdbe28819421040e4c083b65ab47d8ebde6
Change-Id: Ie219bbdbe28819421040e4c083b65ab47d8ebde6

diff --git a/src/com/android/providers/media/MediaProvider.java b/src/com/android/providers/media/MediaProvider.java
index 87a5fa5..3753b44 100644
--- a/src/com/android/providers/media/MediaProvider.java
+++ b/src/com/android/providers/media/MediaProvider.java

@@ -3859,6 +3859,7 @@
 
             FileUtils.sanitizeValues(values, /*rewriteHiddenFileName*/ !isFuseThread());
             FileUtils.computeDataFromValues(values, volumePath, isFuseThread());
+            assertFileColumnsConsistent(match, uri, values);
 
             // Create result file
             File res = new File(values.getAsString(MediaColumns.DATA));

diff --git a/tests/src/com/android/providers/media/MediaProviderTest.java b/tests/src/com/android/providers/media/MediaProviderTest.java
index fc30292..3bd8667 100644
--- a/tests/src/com/android/providers/media/MediaProviderTest.java
+++ b/tests/src/com/android/providers/media/MediaProviderTest.java

@@ -379,9 +379,8 @@
     @Test
     public void testInsertionWithInvalidFilePath_throwsIllegalArgumentException() {
         final ContentValues values = new ContentValues();
-        values.put(MediaStore.MediaColumns.RELATIVE_PATH, "Android/media/com.example");
-        values.put(MediaStore.Images.Media.DISPLAY_NAME,
-                "./../../../../../../../../../../../data/media/test.txt");
+        values.put(MediaStore.MediaColumns.RELATIVE_PATH, "Android/media/com.example/");
+        values.put(MediaStore.Images.Media.DISPLAY_NAME, "data/media/test.txt");
 
         IllegalArgumentException illegalArgumentException = Assert.assertThrows(
                 IllegalArgumentException.class, () -> sIsolatedResolver.insert(