Recover shady content:// paths.android-security-9.0.0_r76 android-security-9.0.0_r75 android-security-9.0.0_r74 android-security-9.0.0_r73 android-security-9.0.0_r72 android-security-9.0.0_r71 android-security-9.0.0_r70 android-security-9.0.0_r69 android-security-9.0.0_r68 android-security-9.0.0_r67 android-security-9.0.0_r66 android-security-9.0.0_r65 android-security-9.0.0_r64 android-security-9.0.0_r63 android-security-9.0.0_r62 android-9.0.0_r61 android-9.0.0_r60 android-9.0.0_r59 android-9.0.0_r58 android-9.0.0_r57 android-9.0.0_r56 android-9.0.0_r55 android-9.0.0_r54 android-9.0.0_r53 android-9.0.0_r52 android-9.0.0_r51 android-9.0.0_r50 android-9.0.0_r49 android-9.0.0_r48 security-pi-release pie-security-release

The path-permission element offers prefix or regex style matching of paths, but most providers internally use UriMatcher to decide what to do with an incoming Uri. This causes trouble because UriMatcher uses Uri.getPathSegments(), which quietly ignores "empty" paths. Consider this example: <path-permission android:pathPrefix="/private" ... /> uriMatcher.addURI("com.example", "/private", CODE_PRIVATE); content://com.example//private The Uri above will pass the security check, since it's not technically a prefix match. But the UriMatcher will then match it as CODE_PRIVATE, since it ignores the "//" zero-length path. Since we can't safely change the behavior of either path-permission or UriMatcher, we're left with recovering these shady paths by trimming away zero-length paths. Bug: 112555574 Test: atest android.appsecurity.cts.AppSecurityTests Test: atest FrameworksCoreTests:android.content.ContentProviderTest Change-Id: Ia62aa19b7d554b806b29875eb6e397adfe69d23b Merged-In: Ia62aa19b7d554b806b29875eb6e397adfe69d23b (cherry picked from commit bc62467b7320d77868c3d7a44596f6e96eca2167)
author: Jeff Sharkey <jsharkey@android.com> 2018-09-24 13:49:30 -0600
committer: Rohit Yengisetty <rngy@google.com> 2018-10-17 11:09:38 -0700
commit: 845bb9b3e243deb49be33c75f835893dba50492f (patch)
tree: b332e73a9793b0d074d86cd873cf45fdf808d1c9
parent: cf1969a847b6aa8d39c01eacb1ba15092df9781e (diff)
download: cts-845bb9b3e243deb49be33c75f835893dba50492f.tar.gz
1 files changed, 30 insertions, 0 deletions
diff --git a/hostsidetests/appsecurity/test-apps/UsePermissionDiffCert/src/com/android/cts/usespermissiondiffcertapp/AccessPermissionWithDiffSigTest.java b/hostsidetests/appsecurity/test-apps/UsePermissionDiffCert/src/com/android/cts/usespermissiondiffcertapp/AccessPermissionWithDiffSigTest.java
index f187504d992..355de8c72c9 100644
--- a/hostsidetests/appsecurity/test-apps/UsePermissionDiffCert/src/com/android/cts/usespermissiondiffcertapp/AccessPermissionWithDiffSigTest.java
+++ b/hostsidetests/appsecurity/test-apps/UsePermissionDiffCert/src/com/android/cts/usespermissiondiffcertapp/AccessPermissionWithDiffSigTest.java
@@ -141,6 +141,16 @@ public class AccessPermissionWithDiffSigTest extends AndroidTestCase {
         }
     }
 
+    private void assertContentUriAllowed(Uri uri) {
+        assertReadingContentUriAllowed(uri);
+        assertWritingContentUriAllowed(uri);
+    }
+
+    private void assertContentUriNotAllowed(Uri uri, String msg) {
+        assertReadingContentUriNotAllowed(uri, msg);
+        assertWritingContentUriNotAllowed(uri, msg);
+    }
+
     private void assertWritingContentUriNotAllowed(Uri uri, String msg) {
         final ContentResolver resolver = getContext().getContentResolver();
         try {
@@ -1170,6 +1180,26 @@ public class AccessPermissionWithDiffSigTest extends AndroidTestCase {
     }
 
     /**
+     * Test that shady {@link Uri} are blocked by {@code path-permission}.
+     */
+    public void testRestrictingProviderMatchingShadyPaths() {
+        assertContentUriAllowed(
+                Uri.parse("content://ctspermissionwithsignaturepathrestricting/"));
+        assertContentUriAllowed(
+                Uri.parse("content://ctspermissionwithsignaturepathrestricting//"));
+        assertContentUriAllowed(
+                Uri.parse("content://ctspermissionwithsignaturepathrestricting///"));
+        assertContentUriNotAllowed(
+                Uri.parse("content://ctspermissionwithsignaturepathrestricting/foo"), null);
+        assertContentUriNotAllowed(
+                Uri.parse("content://ctspermissionwithsignaturepathrestricting//foo"), null);
+        assertContentUriNotAllowed(
+                Uri.parse("content://ctspermissionwithsignaturepathrestricting///foo"), null);
+        assertContentUriNotAllowed(
+                Uri.parse("content://ctspermissionwithsignaturepathrestricting/foo//baz"), null);
+    }
+
+    /**
      * Verify that at least one {@code path-permission} rule will grant access,
      * even if the caller doesn't hold another matching {@code path-permission}.
      */
author	Jeff Sharkey <jsharkey@android.com>	2018-09-24 13:49:30 -0600
committer	Rohit Yengisetty <rngy@google.com>	2018-10-17 11:09:38 -0700
commit	845bb9b3e243deb49be33c75f835893dba50492f (patch)
tree	b332e73a9793b0d074d86cd873cf45fdf808d1c9
parent	cf1969a847b6aa8d39c01eacb1ba15092df9781e (diff)
download	cts-845bb9b3e243deb49be33c75f835893dba50492f.tar.gz