[Android] Prevent the thumb provider to distribute files from outside the thumbnails cache

Nicolas Pomepuy git at videolan.org
Tue Jan 24 13:03:50 UTC 2023


vlc-android | branch: 3.5.x | Nicolas Pomepuy <nicolas at videolabs.io> | Mon Jan 23 13:58:59 2023 +0100| [dac1cdc810f517bbc6f47c9f821d3bbec82ec0bd] | committer: Duncan McNamara

Prevent the thumb provider to distribute files from outside the thumbnails cache

> https://code.videolan.org/videolan/vlc-android/commit/dac1cdc810f517bbc6f47c9f821d3bbec82ec0bd
---

 application/vlc-android/src/org/videolan/vlc/FileProvider.kt | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/application/vlc-android/src/org/videolan/vlc/FileProvider.kt b/application/vlc-android/src/org/videolan/vlc/FileProvider.kt
index be8f685e44..60d9edbf9b 100644
--- a/application/vlc-android/src/org/videolan/vlc/FileProvider.kt
+++ b/application/vlc-android/src/org/videolan/vlc/FileProvider.kt
@@ -5,7 +5,9 @@ import android.content.ContentValues
 import android.database.Cursor
 import android.net.Uri
 import android.os.ParcelFileDescriptor
+import org.videolan.medialibrary.interfaces.Medialibrary
 import org.videolan.resources.AndroidDevices
+import org.videolan.resources.AppContextProvider
 import java.io.File
 import java.io.FileNotFoundException
 
@@ -30,6 +32,7 @@ class FileProvider : ContentProvider() {
     override fun openFile(uri: Uri, mode: String): ParcelFileDescriptor {
         val path = uri.path ?: throw SecurityException("Illegal access")
         if (path.contains("..")) throw SecurityException("Illegal access")
+        if (!path.startsWith(AppContextProvider.appContext.getExternalFilesDir(null)!!.absolutePath + Medialibrary.MEDIALIB_FOLDER_NAME)) throw SecurityException("Illegal access")
         val file = File(path)
         if (!AndroidDevices.mountBL.any { file.canonicalPath.startsWith(it) }) throw SecurityException("Illegal access")
         if (file.exists()) {



More information about the Android mailing list