Permalink
Browse files

Prevent OPP from opening files that aren't sent over Bluetooth

Before this patch an app could send an open intent to
BluetoothOppTransferService using a fake content provider to gain external
read and write access. We fix this by checking the Uri of the file before
opening it to see if it originated from the Bluetooth Share content provider.
We also stop graning write access to apps that we use to view the file.

Bug: 35385327
Test: PoC found in bug
Change-Id: Iad85490a0306b3e70767285393b204be22b11511
(cherry picked from commit f20350a)
  • Loading branch information...
panickeraj authored and gitbuildkicker committed Apr 11, 2017
1 parent f196061 commit 14b7d7e1537af60b7bca6c7b9e55df0dc7c6bf41
Showing with 10 additions and 10 deletions.
  1. +10 −10 src/com/android/bluetooth/opp/BluetoothOppUtility.java
@@ -68,6 +68,10 @@
private static final ConcurrentHashMap<Uri, BluetoothOppSendFileInfo> sSendFileMap
= new ConcurrentHashMap<Uri, BluetoothOppSendFileInfo>();
public static boolean isBluetoothShareUri(Uri uri) {
return uri.toString().startsWith(BluetoothShare.CONTENT_URI.toString());
}
public static BluetoothOppTransferInfo queryRecord(Context context, Uri uri) {
BluetoothOppTransferInfo info = new BluetoothOppTransferInfo();
Cursor cursor = context.getContentResolver().query(uri, null, null, null, null);
@@ -178,6 +182,11 @@ public static void openReceivedFile(Context context, String fileName, String mim
return;
}
if (!isBluetoothShareUri(uri)) {
Log.e(TAG, "Trying to open a file that wasn't transfered over Bluetooth");
return;
}
File f = new File(fileName);
if (!f.exists()) {
Intent in = new Intent(context, BluetoothOppBtErrorActivity.class);
@@ -208,17 +217,8 @@ public static void openReceivedFile(Context context, String fileName, String mim
.queryIntentActivities(activityIntent,
PackageManager.MATCH_DEFAULT_ONLY);
// Grant permissions for any app that can handle a file to access it
for (ResolveInfo resolveInfo : resInfoList) {
String packageName = resolveInfo.activityInfo.packageName;
context.grantUriPermission(packageName, path,
Intent.FLAG_GRANT_WRITE_URI_PERMISSION |
Intent.FLAG_GRANT_READ_URI_PERMISSION);
}
activityIntent.setFlags(Intent.FLAG_ACTIVITY_NEW_TASK);
activityIntent.setFlags(Intent.FLAG_GRANT_READ_URI_PERMISSION);
activityIntent.setFlags(Intent.FLAG_GRANT_WRITE_URI_PERMISSION);
activityIntent.addFlags(Intent.FLAG_GRANT_READ_URI_PERMISSION);
try {
if (V) Log.d(TAG, "ACTION_VIEW intent sent out: " + path + " / " + mimetype);

0 comments on commit 14b7d7e

Please sign in to comment.