Fix / Security - remove old Content Provider

Remove obsolete and buggy ContentProvider which could allow a malicious local app to compromise account data
element-hq · May 3, 2019 · 096dfbe · 096dfbe
1 parent ff63603
commit 096dfbe
Show file tree

Hide file tree

Showing 7 changed files with 28 additions and 155 deletions.
diff --git a/CHANGES.rst b/CHANGES.rst
@@ -1,23 +1,31 @@
-Changes in Riot 0.9.00 (2019-XX-XX)
+Changes in Riot 0.9.00 (2019-04-23)
 ===================================================
 
 /!\ This version is the first version published with app id "im.vector.app".
 
 
+Changes in Riot 0.8.99 (2019-04-23)
+===================================================
+
+/!\ This version is the last version published with app id "im.vector.alpha". It contains a screen which introduce the new application "im.vector.app"
+/!\ This release contains security related bugfixes, users should upgrade asap
+
 MatrixSdk:
- - Upgrade MatrixSdk to version 0.9.21.
+ - Upgrade MatrixSdk to version 0.9.22.
- - Changelog: https://github.com/matrix-org/matrix-android-sdk/releases/tag/v0.9.21
+ - Changelog: https://github.com/matrix-org/matrix-android-sdk/releases/tag/v0.9.22
 
 Other changes:
  - Remove Amplitude tracker and Calendars permissions added by Jitsi lib (jitsi/jitsi-meet#4068, jitsi/jitsi-meet#4080)
  - Exclude code of Firebase analytics (#2481)
 
 Bugfix:
  - Fix / Illegal States exceptions when starting event stream service X
+ - Security Fix / Remove obsolete and buggy ContentProvider which could allow a malicious local app to compromise account data. Many thanks to Julien Thomas (twitter.com/@julien_thomas) from Protektoid Project (https://protektoid.com) for identifying this and responsibly disclosing it!
 
 Build:
  - Exclude Firebase analytics code (#2481)
 
+
 Changes in Riot 0.8.29 (2019-04-04)
 ===================================================
 

diff --git a/vector/libs/matrix-sdk.aar b/vector/libs/matrix-sdk.aar
diff --git a/vector/src/main/AndroidManifest.xml b/vector/src/main/AndroidManifest.xml
@@ -539,12 +539,7 @@
         <service
             android:name=".services.CallService"
             android:exported="false" />
-
+
-        <provider
-            android:name=".db.VectorContentProvider"
-            android:authorities="${applicationId}.VectorApp.provider"
-            android:exported="true" />
-
     </application>
 
 </manifest>
diff --git a/vector/src/main/java/im/vector/activity/VectorMediaViewerActivity.java b/vector/src/main/java/im/vector/activity/VectorMediaViewerActivity.java
@@ -20,6 +20,7 @@
 import android.content.Intent;
 import android.net.Uri;
 import android.support.annotation.NonNull;
+import android.support.v4.content.FileProvider;
 import android.support.v4.view.ViewPager;
 import android.view.Menu;
 import android.view.MenuItem;
@@ -39,11 +40,11 @@
 import java.io.File;
 import java.util.List;
 
+import im.vector.BuildConfig;
 import im.vector.Matrix;
 import im.vector.R;
 import im.vector.VectorApp;
 import im.vector.adapters.VectorMediaViewerAdapter;
-import im.vector.db.VectorContentProvider;
 import im.vector.util.PermissionsToolsKt;
 import im.vector.util.SlidableMediaInfo;
 
@@ -265,14 +266,16 @@ public void onSuccess(String savedMediaPath) {
                         // shared / forward
                         Uri mediaUri = null;
                         try {
-                            mediaUri = VectorContentProvider.absolutePathToUri(VectorMediaViewerActivity.this, file.getAbsolutePath());
+                            mediaUri = FileProvider.getUriForFile(VectorMediaViewerActivity.this, BuildConfig.APPLICATION_ID + ".fileProvider", file);
                         } catch (Exception e) {
-                            Log.e(LOG_TAG, "onMediaAction onAction.absolutePathToUri: " + e.getMessage(), e);
+                            Log.e(LOG_TAG, "onMediaAction Selected File cannot be shared " + e.getMessage(), e);
                         }
 
                         if (null != mediaUri) {
                             try {
                                 final Intent sendIntent = new Intent();
+                                // Grant temporary read permission to the content URI
+                                sendIntent.addFlags(Intent.FLAG_GRANT_READ_URI_PERMISSION);
                                 sendIntent.setAction(Intent.ACTION_SEND);
                                 sendIntent.setType(mediaInfo.mMimeType);
                                 sendIntent.putExtra(Intent.EXTRA_STREAM, mediaUri);

diff --git a/vector/src/main/java/im/vector/db/VectorContentProvider.java b/vector/src/main/java/im/vector/db/VectorContentProvider.java
diff --git a/vector/src/main/java/im/vector/fragments/VectorMessageListFragment.java b/vector/src/main/java/im/vector/fragments/VectorMessageListFragment.java
@@ -27,6 +27,7 @@
 import android.support.annotation.NonNull;
 import android.support.annotation.Nullable;
 import android.support.v4.app.FragmentManager;
+import android.support.v4.content.FileProvider;
 import android.support.v7.app.AlertDialog;
 import android.text.TextUtils;
 import android.view.LayoutInflater;
@@ -74,6 +75,7 @@
 import java.util.List;
 import java.util.Map;
 
+import im.vector.BuildConfig;
 import im.vector.Matrix;
 import im.vector.R;
 import im.vector.activity.CommonActivityUtils;
@@ -83,7 +85,6 @@
 import im.vector.activity.VectorMemberDetailsActivity;
 import im.vector.activity.VectorRoomActivity;
 import im.vector.adapters.VectorMessagesAdapter;
-import im.vector.db.VectorContentProvider;
 import im.vector.extensions.MatrixSdkExtensionsKt;
 import im.vector.listeners.IMessagesAdapterActionsListener;
 import im.vector.listeners.YesNoListener;
@@ -868,19 +869,22 @@ public void onSuccess(String savedMediaPath) {
                     } else {
                         // Move the file to the Share folder, to avoid it to be deleted because the Activity will be paused while the
                         // user select an application to share the file
+                        // only files in this folder can be shared with external apps, with temporary read access
                         file = mediasCache.moveToShareFolder(file, trimmedFileName);
 
                         // shared / forward
                         Uri mediaUri = null;
                         try {
-                            mediaUri = VectorContentProvider.absolutePathToUri(getActivity(), file.getAbsolutePath());
+                            mediaUri = FileProvider.getUriForFile(getActivity(), BuildConfig.APPLICATION_ID + ".fileProvider", file);
                         } catch (Exception e) {
-                            Log.e(LOG_TAG, "onMediaAction VectorContentProvider.absolutePathToUri: " + e.getMessage(), e);
+                            Log.e(LOG_TAG, "onMediaAction Selected File cannot be shared " + e.getMessage(), e);
                         }
 
                         if (null != mediaUri) {
                             final Intent sendIntent = new Intent();
                             sendIntent.setAction(Intent.ACTION_SEND);
+                            // Grant temporary read permission to the content URI
+                            sendIntent.addFlags(Intent.FLAG_GRANT_READ_URI_PERMISSION);
                             sendIntent.setType(mediaMimeType);
                             sendIntent.putExtra(Intent.EXTRA_STREAM, mediaUri);
 

diff --git a/vector/src/main/res/xml/vector_provider_paths.xml b/vector/src/main/res/xml/vector_provider_paths.xml
@@ -3,4 +3,7 @@
     <external-path
         name="external_files"
         path="." />
+    <files-path
+        name="shared"
+        path="ext_share" />
 </paths>