[Android] Perform read check on thumb to verify the FileProvider can return the image
Robert Stone
git at videolan.org
Tue Feb 23 05:21:57 UTC 2021
vlc-android | branch: master | Robert Stone <rhstone at gmail.com> | Mon Feb 15 23:05:49 2021 -0800| [f085648f714b438d6c8b9c7e02c9c4eb3f0853f8] | committer: Nicolas Pomepuy
Perform read check on thumb to verify the FileProvider can return the image
> https://code.videolan.org/videolan/vlc-android/commit/f085648f714b438d6c8b9c7e02c9c4eb3f0853f8
---
application/vlc-android/src/org/videolan/vlc/FileProvider.kt | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/application/vlc-android/src/org/videolan/vlc/FileProvider.kt b/application/vlc-android/src/org/videolan/vlc/FileProvider.kt
index dff811fbc..be8f685e4 100644
--- a/application/vlc-android/src/org/videolan/vlc/FileProvider.kt
+++ b/application/vlc-android/src/org/videolan/vlc/FileProvider.kt
@@ -31,8 +31,7 @@ class FileProvider : ContentProvider() {
val path = uri.path ?: throw SecurityException("Illegal access")
if (path.contains("..")) throw SecurityException("Illegal access")
val file = File(path)
- val canonicalPath = file.canonicalPath
- if (!isPathValid(canonicalPath)) throw SecurityException("Illegal access")
+ if (!AndroidDevices.mountBL.any { file.canonicalPath.startsWith(it) }) throw SecurityException("Illegal access")
if (file.exists()) {
return ParcelFileDescriptor.open(file, ParcelFileDescriptor.MODE_READ_ONLY)
}
@@ -47,5 +46,6 @@ fun getFileUri(path: String) = Uri.Builder()
.build()!!
fun isPathValid(path: String): Boolean {
- return AndroidDevices.mountBL.any { path.startsWith(it) }
+ val file = File(path)
+ return AndroidDevices.mountBL.any { file.canonicalPath.startsWith(it) } && file.canRead()
}
\ No newline at end of file
More information about the Android
mailing list