commit 2c34481dc7f8e412b02492ddab57de216db7fdae
author Tom Taylor <tomtaylor@google.com> Wed Feb 20 16:50:15 2013 -0800
committer Android Git Automerger <android-git-automerger@android.com> Wed Feb 20 16:50:15 2013 -0800
tree 260f2f4398235f85ba63ca0c6aadf43d33a65095
parent 15156cd6afcc7ed57ac7be40ef2d32a615e83599
parent 7c24d433ed2175dfb9b75f3beeb4283aa21d94e6

am 7c24d433: am 8d4bb29c: am 0ffb2dda: Android MMS api allows arbitrary file access as the radio user

* commit '7c24d433ed2175dfb9b75f3beeb4283aa21d94e6':
  Android MMS api allows arbitrary file access as the radio user

src/com/android/providers/telephony/MmsProvider.java

diff --git a/src/com/android/providers/telephony/MmsProvider.java b/src/com/android/providers/telephony/MmsProvider.java
index 5e3e1f1..bddce1d 100644
--- a/src/com/android/providers/telephony/MmsProvider.java
+++ b/src/com/android/providers/telephony/MmsProvider.java
@@ -17,6 +17,7 @@
 package com.android.providers.telephony;
 
 import android.content.ContentProvider;
+import android.content.ContentResolver;
 import android.content.ContentValues;
 import android.content.Context;
 import android.content.Intent;
@@ -764,20 +765,50 @@
 
     @Override
     public ParcelFileDescriptor openFile(Uri uri, String mode) throws FileNotFoundException {
-        // TODO do we even need this anymore?
-        ParcelFileDescriptor fd;
         int match = sURLMatcher.match(uri);
 
         if (Log.isLoggable(TAG, Log.VERBOSE)) {
-            Log.d(TAG, "openFile: uri=" + uri + ", mode=" + mode);
+            Log.d(TAG, "openFile: uri=" + uri + ", mode=" + mode + ", match=" + match);
         }
 
-        switch (match) {
-            default:
-                fd = openFileHelper(uri, mode);
+        if (match != MMS_PART_ID) {
+            return null;
         }
 
-        return fd;
+        // Verify that the _data path points to mms data
+        Cursor c = query(uri, new String[]{"_data"}, null, null, null);
+        int count = (c != null) ? c.getCount() : 0;
+        if (count != 1) {
+            // If there is not exactly one result, throw an appropriate
+            // exception.
+            if (c != null) {
+                c.close();
+            }
+            if (count == 0) {
+                throw new FileNotFoundException("No entry for " + uri);
+            }
+            throw new FileNotFoundException("Multiple items at " + uri);
+        }
+
+        c.moveToFirst();
+        int i = c.getColumnIndex("_data");
+        String path = (i >= 0 ? c.getString(i) : null);
+        c.close();
+
+        if (path == null) {
+            return null;
+        }
+        try {
+            File filePath = new File(path);
+            if (!filePath.getCanonicalPath()
+                    .startsWith(getContext().getApplicationInfo().dataDir + "/app_parts/")) {
+                return null;
+            }
+        } catch (IOException e) {
+            return null;
+        }
+
+        return openFileHelper(uri, mode);
     }
 
     private void filterUnsupportedKeys(ContentValues values) {