Validate file path in TermuxOpenReceiver

termux · Oct 28, 2017 · 092a83a · 092a83a
1 parent 3533b13
commit 092a83a
Showing 1 changed file with 12 additions and 0 deletions.
diff --git a/app/src/main/java/com/termux/app/TermuxOpenReceiver.java b/app/src/main/java/com/termux/app/TermuxOpenReceiver.java
@@ -8,6 +8,7 @@
 import android.database.Cursor;
 import android.database.MatrixCursor;
 import android.net.Uri;
+import android.os.Environment;
 import android.os.ParcelFileDescriptor;
 import android.provider.MediaStore;
 import android.support.annotation.NonNull;
@@ -18,6 +19,7 @@
 
 import java.io.File;
 import java.io.FileNotFoundException;
+import java.io.IOException;
 
 public class TermuxOpenReceiver extends BroadcastReceiver {
 
@@ -171,6 +173,16 @@ public int update(@NonNull Uri uri, ContentValues values, String selection, Stri
         @Override
         public ParcelFileDescriptor openFile(@NonNull Uri uri, @NonNull String mode) throws FileNotFoundException {
             File file = new File(uri.getPath());
+            try {
+                String path = file.getCanonicalPath();
+                String storagePath = Environment.getExternalStorageDirectory().getCanonicalPath();
+                // See https://support.google.com/faqs/answer/7496913:
+                if (!(path.startsWith(TermuxService.FILES_PATH) || path.startsWith(storagePath))) {
+                    throw new IllegalArgumentException("Invalid path: " + path);
+                }
+            } catch (IOException e) {
+                throw new IllegalArgumentException(e);
+            }
             return ParcelFileDescriptor.open(file, ParcelFileDescriptor.MODE_READ_ONLY);
         }
     }