[Android] Provider security fix

[Geoffrey Métais]

vlc-android | branch: master | Geoffrey Métais <geoffrey at videolan.org> | Tue Oct 29 15:22:34 2019 +0100| [34fcf1bebe84472aa9367ef8125157f50afb0765] | committer: Geoffrey Métais

Provider security fix

> https://code.videolan.org/videolan/vlc-android/commit/34fcf1bebe84472aa9367ef8125157f50afb0765
---

 vlc-android/src/org/videolan/vlc/FileProvider.kt        | 14 +++++++++-----
 vlc-android/src/org/videolan/vlc/util/AndroidDevices.kt |  2 +-
 2 files changed, 10 insertions(+), 6 deletions(-)

diff --git a/vlc-android/src/org/videolan/vlc/FileProvider.kt b/vlc-android/src/org/videolan/vlc/FileProvider.kt
index 7b353e732..0295a08a7 100644
--- a/vlc-android/src/org/videolan/vlc/FileProvider.kt
+++ b/vlc-android/src/org/videolan/vlc/FileProvider.kt
@@ -5,6 +5,7 @@ import android.content.ContentValues
 import android.database.Cursor
 import android.net.Uri
 import android.os.ParcelFileDescriptor
+import org.videolan.vlc.util.AndroidDevices
 import java.io.File
 import java.io.FileNotFoundException
 
@@ -26,13 +27,16 @@ class FileProvider : ContentProvider() {
 
     override fun getType(uri: Uri) = "image/${uri.path?.substringAfterLast('.')}"
 
-    override fun openFile(uri: Uri, mode: String?): ParcelFileDescriptor {
-        val file = File(uri.path)
-        if (file.canonicalPath.startsWith("/data")) throw SecurityException("Illegal access")
+    override fun openFile(uri: Uri, mode: String): ParcelFileDescriptor {
+        val path = uri.path ?: throw SecurityException("Illegal access")
+        if (path.contains("..")) throw SecurityException("Illegal access")
+        val file = File(path)
+        val canonicalPath = file.canonicalPath
+        if (!AndroidDevices.mountBL.any { canonicalPath.startsWith(it) }) throw SecurityException("Illegal access")
         if (file.exists()) {
             return ParcelFileDescriptor.open(file, ParcelFileDescriptor.MODE_READ_ONLY)
         }
-        throw FileNotFoundException(uri.path)
+        throw FileNotFoundException(path)
     }
 }
 
@@ -40,4 +44,4 @@ fun getFileUri(path: String) = Uri.Builder()
         .scheme("content")
         .authority(THUMB_PROVIDER_AUTHORITY)
         .path(path)
-        .build()!!
\ No newline at end of file
+        .build()!!
diff --git a/vlc-android/src/org/videolan/vlc/util/AndroidDevices.kt b/vlc-android/src/org/videolan/vlc/util/AndroidDevices.kt
index 606876537..e185a2c6b 100644
--- a/vlc-android/src/org/videolan/vlc/util/AndroidDevices.kt
+++ b/vlc-android/src/org/videolan/vlc/util/AndroidDevices.kt
@@ -65,7 +65,7 @@ object AndroidDevices {
     private val typeWL = Arrays.asList("vfat", "exfat", "sdcardfs", "fuse", "ntfs", "fat32", "ext3", "ext4", "esdfs")
     private val typeBL = listOf("tmpfs")
     private val mountWL = arrayOf("/mnt", "/Removable", "/storage")
-    private val mountBL = arrayOf(EXTERNAL_PUBLIC_DIRECTORY, "/mnt/secure", "/mnt/shell", "/mnt/asec", "/mnt/nand", "/mnt/runtime", "/mnt/obb", "/mnt/media_rw/extSdCard", "/mnt/media_rw/sdcard", "/storage/emulated", "/var/run/arc")
+    val mountBL = arrayOf(EXTERNAL_PUBLIC_DIRECTORY, "/mnt/secure", "/mnt/shell", "/mnt/asec", "/mnt/nand", "/mnt/runtime", "/mnt/obb", "/mnt/media_rw/extSdCard", "/mnt/media_rw/sdcard", "/storage/emulated", "/var/run/arc")
     private val deviceWL = arrayOf("/dev/block/vold", "/dev/fuse", "/mnt/media_rw", "passthrough")
 
     /**