Check file uri sharing owner rather than prohibiting outright

Fixes #5381 // FREEBIE
2024-11-27 12:05:22 +00:00 · 2016-03-25 17:08:43 -07:00 · 2016-03-25 17:08:43 -07:00 · f2b81d88ba
commit f2b81d88ba
parent f1bd2d9193
8 changed files with 106 additions and 5 deletions
--- a/jni/Android.mk
+++ b/jni/Android.mk
@ -53,6 +53,14 @@ libwebrtc_spl \
 libwebrtc_vad \
 libcrypto_static

-
 include $(BUILD_SHARED_LIBRARY)

+include $(CLEAR_VARS)
+
+LOCAL_MODULE     := native-utils
+LOCAL_C_INCLUDES := $(JNI_DIR)/utils/
+LOCAL_CFLAGS     += -Wall
+
+LOCAL_SRC_FILES := $(JNI_DIR)/utils/org_thoughtcrime_securesms_util_FileUtils.cpp
+
+include $(BUILD_SHARED_LIBRARY)
--- a/jni/utils/org_thoughtcrime_securesms_util_FileUtils.cpp
+++ b/jni/utils/org_thoughtcrime_securesms_util_FileUtils.cpp
@ -0,0 +1,31 @@
+#include "org_thoughtcrime_securesms_util_FileUtils.h"
+
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <unistd.h>
+
+jint JNICALL Java_org_thoughtcrime_securesms_util_FileUtils_getFileDescriptorOwner
+  (JNIEnv *env, jclass clazz, jobject fileDescriptor)
+{
+  jclass fdClass = env->GetObjectClass(fileDescriptor);
+
+  if (fdClass == NULL) {
+    return -1;
+  }
+
+  jfieldID fdFieldId = env->GetFieldID(fdClass, "descriptor", "I");
+
+  if (fdFieldId == NULL) {
+    return -1;
+  }
+
+  int fd = env->GetIntField(fileDescriptor, fdFieldId);
+
+  struct stat stat_struct;
+
+  if (fstat(fd, &stat_struct) != 0) {
+    return -1;
+  }
+
+  return stat_struct.st_uid;
+}
--- a/jni/utils/org_thoughtcrime_securesms_util_FileUtils.h
+++ b/jni/utils/org_thoughtcrime_securesms_util_FileUtils.h
@ -0,0 +1,21 @@
+/* DO NOT EDIT THIS FILE - it is machine generated */
+#include <jni.h>
+/* Header for class org_thoughtcrime_securesms_util_FileUtils */
+
+#ifndef _Included_org_thoughtcrime_securesms_util_FileUtils
+#define _Included_org_thoughtcrime_securesms_util_FileUtils
+#ifdef __cplusplus
+extern "C" {
+#endif
+/*
+ * Class:     org_thoughtcrime_securesms_util_FileUtils
+ * Method:    getFileDescriptorOwner
+ * Signature: (Ljava/io/FileDescriptor;)I
+ */
+JNIEXPORT jint JNICALL Java_org_thoughtcrime_securesms_util_FileUtils_getFileDescriptorOwner
+  (JNIEnv *, jclass, jobject);
+
+#ifdef __cplusplus
+}
+#endif
+#endif
--- a/libs/armeabi-v7a/libnative-utils.so
+++ b/libs/armeabi-v7a/libnative-utils.so
--- a/libs/armeabi/libnative-utils.so
+++ b/libs/armeabi/libnative-utils.so
--- a/libs/x86/libnative-utils.so
+++ b/libs/x86/libnative-utils.so
--- a/src/org/thoughtcrime/securesms/ShareActivity.java
+++ b/src/org/thoughtcrime/securesms/ShareActivity.java
@ -21,9 +21,15 @@ import android.content.Context;
 import android.content.Intent;
 import android.net.Uri;
 import android.os.AsyncTask;
+import android.os.Build;
 import android.os.Bundle;
+import android.os.ParcelFileDescriptor;
+import android.os.Process;
 import android.support.annotation.NonNull;
 import android.support.annotation.Nullable;
+import android.system.ErrnoException;
+import android.system.Os;
+import android.system.StructStat;
 import android.util.Log;
 import android.view.Menu;
 import android.view.MenuInflater;
@ -37,9 +43,13 @@ import org.thoughtcrime.securesms.providers.PersistentBlobProvider;
 import org.thoughtcrime.securesms.recipients.Recipients;
 import org.thoughtcrime.securesms.util.DynamicLanguage;
 import org.thoughtcrime.securesms.util.DynamicTheme;
+import org.thoughtcrime.securesms.util.FileUtils;
 import org.thoughtcrime.securesms.util.MediaUtil;
 import org.thoughtcrime.securesms.util.ViewUtil;

+import java.io.File;
+import java.io.FileInputStream;
+import java.io.FileNotFoundException;
 import java.io.IOException;
 import java.io.InputStream;

@ -193,17 +203,23 @@ public class ShareActivity extends PassphraseRequiredActionBarActivity
    @Override
    protected Uri doInBackground(Uri... uris) {
      try {
-        if (uris.length != 1 || uris[0] == null || uris[0].getScheme().equals("file")) {
+        if (uris.length != 1 || uris[0] == null) {
          return null;
        }

-        InputStream input = context.getContentResolver().openInputStream(uris[0]);
+        InputStream inputStream;

-        if (input == null) {
+        if ("file".equals(uris[0].getScheme())) {
+          inputStream = openFileUri(uris[0]);
+        } else {
+          inputStream = context.getContentResolver().openInputStream(uris[0]);
+        }
+
+        if (inputStream == null) {
          return null;
        }

-        return PersistentBlobProvider.getInstance(context).create(masterSecret, input, mimeType);
+        return PersistentBlobProvider.getInstance(context).create(masterSecret, inputStream, mimeType);
      } catch (IOException ioe) {
        Log.w(TAG, ioe);
        return null;
@ -216,5 +232,17 @@ public class ShareActivity extends PassphraseRequiredActionBarActivity
      ViewUtil.fadeIn(fragmentContainer, 300);
      ViewUtil.fadeOut(progressWheel, 300);
    }
+
+    private InputStream openFileUri(Uri uri) throws IOException {
+      FileInputStream fin   = new FileInputStream(uri.getPath());
+      int             owner = FileUtils.getFileDescriptorOwner(fin.getFD());
+      
+      if (owner == -1 || owner == Process.myUid()) {
+        fin.close();
+        throw new IOException("File owned by application");
+      }
+
+      return fin;
+    }
  }
 }
--- a/src/org/thoughtcrime/securesms/util/FileUtils.java
+++ b/src/org/thoughtcrime/securesms/util/FileUtils.java
@ -0,0 +1,13 @@
+package org.thoughtcrime.securesms.util;
+
+import java.io.FileDescriptor;
+
+public class FileUtils {
+
+  static {
+    System.loadLibrary("native-utils");
+  }
+
+  public static native int getFileDescriptorOwner(FileDescriptor fileDescriptor);
+
+}