OPP: Restrict file based URI access to external storage

Jack He · andi34 · commit ac35a9708183 · 2017-06-16T20:14:07.000+02:00
* Allow only external storage paths in file based URI in
  BluetoothOppSendFileInfo when the file send request comes from an
  external source
* Fix a potential NPE when using Uri.getPath()

Bug: 35310991
Test: Make, test various cases of Bluetooth file share
Change-Id: Id5519588266f22674b6d01ec6ebe34fe38cbccce
(cherry picked from commit 3edd7f0a8aadf2f44bc62ea5b567c74d39a534c8)
(cherry picked from commit 3ce229fa602f739d1e98e2a85a3bd955c3a308f6)
diff --git a/src/com/android/bluetooth/opp/BluetoothOppHandoverReceiver.java b/src/com/android/bluetooth/opp/BluetoothOppHandoverReceiver.java
@@ -50,7 +50,7 @@ public void onReceive(Context context, Intent intent) {
                     // Save type/stream, will be used when adding transfer
                     // session to DB.
                     BluetoothOppManager.getInstance(context).saveSendingFileInfo(type,
-                            stream.toString(), true);
+                            stream.toString(), true, false);
                 } else {
                     if (D) Log.d(TAG, "No mimeType or stream attached to handover request");
                 }
@@ -60,7 +60,7 @@ public void onReceive(Context context, Intent intent) {
                 uris = intent.getParcelableArrayListExtra(Intent.EXTRA_STREAM);
                 if (mimeType != null && uris != null) {
                     BluetoothOppManager.getInstance(context).saveSendingFileInfo(mimeType,
-                            uris, true);
+                            uris, true /* isHandover */, true /* fromExternal */);
                 } else {
                     if (D) Log.d(TAG, "No mimeType or stream attached to handover request");
                     return;
diff --git a/src/com/android/bluetooth/opp/BluetoothOppLauncherActivity.java b/src/com/android/bluetooth/opp/BluetoothOppLauncherActivity.java
@@ -103,7 +103,8 @@ public void onCreate(Bundle savedInstanceState) {
                     Thread t = new Thread(new Runnable() {
                         public void run() {
                             BluetoothOppManager.getInstance(BluetoothOppLauncherActivity.this)
-                                .saveSendingFileInfo(type,stream.toString(), false);
+                                .saveSendingFileInfo(type,stream.toString(),
+                                    false /* isHandover */, true /* fromExternal */);
                             //Done getting file info..Launch device picker and finish this activity
                             launchDevicePicker();
                             finish();
@@ -119,7 +120,8 @@ public void run() {
                         Thread t = new Thread(new Runnable() {
                             public void run() {
                                 BluetoothOppManager.getInstance(BluetoothOppLauncherActivity.this)
-                                    .saveSendingFileInfo(type,fileUri.toString(), false);
+                                    .saveSendingFileInfo(type,fileUri.toString(),
+                                        false /* isHandover */, false /* fromExternal */);
                                 //Done getting file info..Launch device picker
                                 //and finish this activity
                                 launchDevicePicker();
@@ -147,7 +149,8 @@ public void run() {
                     Thread t = new Thread(new Runnable() {
                         public void run() {
                             BluetoothOppManager.getInstance(BluetoothOppLauncherActivity.this)
-                                .saveSendingFileInfo(mimeType,uris, false);
+                                .saveSendingFileInfo(mimeType,uris,
+                                    false /* isHandover */, true /* fromExternal */);
                             //Done getting file info..Launch device picker
                             //and finish this activity
                             launchDevicePicker();
diff --git a/src/com/android/bluetooth/opp/BluetoothOppManager.java b/src/com/android/bluetooth/opp/BluetoothOppManager.java
@@ -247,30 +247,32 @@ private void storeApplicationData() {
         if (V) Log.v(TAG, "Application data stored to SharedPreference! ");
     }
 
-    public void saveSendingFileInfo(String mimeType, String uriString, boolean isHandover) {
+    public void saveSendingFileInfo(String mimeType, String uriString, boolean isHandover,
+            boolean fromExternal) {
         synchronized (BluetoothOppManager.this) {
             mMultipleFlag = false;
             mMimeTypeOfSendingFile = mimeType;
             mIsHandoverInitiated = isHandover;
             Uri uri = Uri.parse(uriString);
             BluetoothOppSendFileInfo sendFileInfo =
-                BluetoothOppSendFileInfo.generateFileInfo(mContext, uri, mimeType);
+                BluetoothOppSendFileInfo.generateFileInfo(mContext, uri, mimeType, fromExternal);
             uri = BluetoothOppUtility.generateUri(uri, sendFileInfo);
             BluetoothOppUtility.putSendFileInfo(uri, sendFileInfo);
             mUriOfSendingFile = uri.toString();
             storeApplicationData();
         }
     }
 
-    public void saveSendingFileInfo(String mimeType, ArrayList<Uri> uris, boolean isHandover) {
+    public void saveSendingFileInfo(String mimeType, ArrayList<Uri> uris, boolean isHandover,
+            boolean fromExternal) {
         synchronized (BluetoothOppManager.this) {
             mMultipleFlag = true;
             mMimeTypeOfSendingFiles = mimeType;
             mUrisOfSendingFiles = new ArrayList<Uri>();
             mIsHandoverInitiated = isHandover;
             for (Uri uri : uris) {
                 BluetoothOppSendFileInfo sendFileInfo =
-                    BluetoothOppSendFileInfo.generateFileInfo(mContext, uri, mimeType);
+                    BluetoothOppSendFileInfo.generateFileInfo(mContext, uri, mimeType, fromExternal);
                 uri = BluetoothOppUtility.generateUri(uri, sendFileInfo);
                 mUrisOfSendingFiles.add(uri);
                 BluetoothOppUtility.putSendFileInfo(uri, sendFileInfo);
diff --git a/src/com/android/bluetooth/opp/BluetoothOppSendFileInfo.java b/src/com/android/bluetooth/opp/BluetoothOppSendFileInfo.java
@@ -39,6 +39,7 @@
 import android.database.sqlite.SQLiteException;
 import android.net.Uri;
 import android.provider.OpenableColumns;
+import android.util.EventLog;
 import android.util.Log;
 
 import java.io.File;
@@ -97,8 +98,8 @@ public BluetoothOppSendFileInfo(String data, String type, long length, int statu
         mStatus = status;
     }
 
-    public static BluetoothOppSendFileInfo generateFileInfo(Context context, Uri uri,
-            String type) {
+    public static BluetoothOppSendFileInfo generateFileInfo(
+            Context context, Uri uri, String type, boolean fromExternal) {
         ContentResolver contentResolver = context.getContentResolver();
         String scheme = uri.getScheme();
         String fileName = null;
@@ -134,6 +135,16 @@ public static BluetoothOppSendFileInfo generateFileInfo(Context context, Uri uri
                 fileName = uri.getLastPathSegment();
             }
         } else if ("file".equals(scheme)) {
+            if (uri.getPath() == null) {
+                Log.e(TAG, "Invalid URI path: " + uri);
+                return SEND_FILE_INFO_ERROR;
+            }
+            if (fromExternal && !BluetoothOppUtility.isInExternalStorageDir(uri)) {
+                EventLog.writeEvent(0x534e4554, "35310991", -1, uri.getPath());
+                Log.e(TAG,
+                        "File based URI not in Environment.getExternalStorageDirectory() is not allowed.");
+                return SEND_FILE_INFO_ERROR;
+            }
             fileName = uri.getLastPathSegment();
             contentType = type;
             File f = new File(uri.getPath());
diff --git a/src/com/android/bluetooth/opp/BluetoothOppTransferActivity.java b/src/com/android/bluetooth/opp/BluetoothOppTransferActivity.java
@@ -373,7 +373,7 @@ public void onClick(DialogInterface dialog, int which) {
                     // retry the failed transfer
                     Uri uri = BluetoothOppUtility.originalUri(Uri.parse(mTransInfo.mFileUri));
                     BluetoothOppSendFileInfo sendFileInfo =
-                        BluetoothOppSendFileInfo.generateFileInfo(this, uri, mTransInfo.mFileType);
+                        BluetoothOppSendFileInfo.generateFileInfo(this, uri, mTransInfo.mFileType, false);
                     uri = BluetoothOppUtility.generateUri(uri, sendFileInfo);
                     BluetoothOppUtility.putSendFileInfo(uri, sendFileInfo);
                     mTransInfo.mFileUri = uri.toString();
diff --git a/src/com/android/bluetooth/opp/BluetoothOppUtility.java b/src/com/android/bluetooth/opp/BluetoothOppUtility.java
@@ -39,13 +39,15 @@
 import android.bluetooth.BluetoothAdapter;
 import android.bluetooth.BluetoothDevice;
 import android.net.Uri;
+import android.content.ContentResolver;
 import android.content.ContentValues;
 import android.content.Context;
 import android.content.ActivityNotFoundException;
 import android.content.Intent;
 import android.content.pm.PackageManager;
 import android.content.pm.ResolveInfo;
 import android.database.Cursor;
+import android.os.Environment;
 import android.util.Log;
 
 import java.io.File;
@@ -349,4 +351,40 @@ static void closeSendFileInfo(Uri uri) {
             }
         }
     }
+
+    /**
+     * Checks if the URI is in Environment.getExternalStorageDirectory() as it
+     * is the only directory that is possibly readable by both the sender and
+     * the Bluetooth process.
+     */
+    static boolean isInExternalStorageDir(Uri uri) {
+        if (!ContentResolver.SCHEME_FILE.equals(uri.getScheme())) {
+            Log.e(TAG, "Not a file URI: " + uri);
+            return false;
+        }
+        final File file = new File(uri.getCanonicalUri().getPath());
+        return isSameOrSubDirectory(Environment.getExternalStorageDirectory(), file);
+    }
+
+    /**
+     * Checks, whether the child directory is the same as, or a sub-directory of the base
+     * directory. Neither base nor child should be null.
+     */
+    static boolean isSameOrSubDirectory(File base, File child) {
+        try {
+            base = base.getCanonicalFile();
+            child = child.getCanonicalFile();
+            File parentFile = child;
+            while (parentFile != null) {
+                if (base.equals(parentFile)) {
+                    return true;
+                }
+                parentFile = parentFile.getParentFile();
+            }
+            return false;
+        } catch (IOException ex) {
+            Log.e(TAG, "Error while accessing file", ex);
+            return false;
+        }
+    }
 }
