[Android] Prevent the thumb provider to distribute files from outside the thumbnails cache
Nicolas Pomepuy
git at videolan.org
Tue Jan 24 13:03:50 UTC 2023
vlc-android | branch: 3.5.x | Nicolas Pomepuy <nicolas at videolabs.io> | Mon Jan 23 13:58:59 2023 +0100| [dac1cdc810f517bbc6f47c9f821d3bbec82ec0bd] | committer: Duncan McNamara
Prevent the thumb provider to distribute files from outside the thumbnails cache
> https://code.videolan.org/videolan/vlc-android/commit/dac1cdc810f517bbc6f47c9f821d3bbec82ec0bd
---
application/vlc-android/src/org/videolan/vlc/FileProvider.kt | 3 +++
1 file changed, 3 insertions(+)
diff --git a/application/vlc-android/src/org/videolan/vlc/FileProvider.kt b/application/vlc-android/src/org/videolan/vlc/FileProvider.kt
index be8f685e44..60d9edbf9b 100644
--- a/application/vlc-android/src/org/videolan/vlc/FileProvider.kt
+++ b/application/vlc-android/src/org/videolan/vlc/FileProvider.kt
@@ -5,7 +5,9 @@ import android.content.ContentValues
import android.database.Cursor
import android.net.Uri
import android.os.ParcelFileDescriptor
+import org.videolan.medialibrary.interfaces.Medialibrary
import org.videolan.resources.AndroidDevices
+import org.videolan.resources.AppContextProvider
import java.io.File
import java.io.FileNotFoundException
@@ -30,6 +32,7 @@ class FileProvider : ContentProvider() {
override fun openFile(uri: Uri, mode: String): ParcelFileDescriptor {
val path = uri.path ?: throw SecurityException("Illegal access")
if (path.contains("..")) throw SecurityException("Illegal access")
+ if (!path.startsWith(AppContextProvider.appContext.getExternalFilesDir(null)!!.absolutePath + Medialibrary.MEDIALIB_FOLDER_NAME)) throw SecurityException("Illegal access")
val file = File(path)
if (!AndroidDevices.mountBL.any { file.canonicalPath.startsWith(it) }) throw SecurityException("Illegal access")
if (file.exists()) {
More information about the Android
mailing list