diff options
| author | Christopher Tate <ctate@google.com> | 2013-03-25 10:06:34 -0700 |
|---|---|---|
| committer | Nick Kralevich <nnk@google.com> | 2013-03-25 13:44:34 -0700 |
| commit | 0cb27e28071af59000198c8588c588a2e63cc0a3 (patch) | |
| tree | eb39a3edefe98598e35b3dec670f78a6b7e27249 /core | |
| parent | a2e929e1df62947b7967258f21fd05b27a571878 (diff) | |
| download | frameworks_base-0cb27e28071af59000198c8588c588a2e63cc0a3.zip frameworks_base-0cb27e28071af59000198c8588c588a2e63cc0a3.tar.gz frameworks_base-0cb27e28071af59000198c8588c588a2e63cc0a3.tar.bz2 | |
Validate restored file paths against their nominal domain
Bug 8460775
(cherry picked from commit 7323765bbf13d9638cf2cc1e06113bffcdac46c4)
Change-Id: I6710503799a6df2de142a827513d5b4c107b6ec9
Diffstat (limited to 'core')
| -rw-r--r-- | core/java/android/app/backup/BackupAgent.java | 28 |
1 files changed, 19 insertions, 9 deletions
diff --git a/core/java/android/app/backup/BackupAgent.java b/core/java/android/app/backup/BackupAgent.java index 9ad33a5..0e835ed 100644 --- a/core/java/android/app/backup/BackupAgent.java +++ b/core/java/android/app/backup/BackupAgent.java @@ -440,21 +440,31 @@ public abstract class BackupAgent extends ContextWrapper { basePath = getCacheDir().getCanonicalPath(); } else { // Not a supported location - Log.i(TAG, "Data restored from non-app domain " + domain + ", ignoring"); + Log.i(TAG, "Unrecognized domain " + domain); } // Now that we've figured out where the data goes, send it on its way if (basePath != null) { + // Canonicalize the nominal path and verify that it lies within the stated domain File outFile = new File(basePath, path); - if (DEBUG) Log.i(TAG, "[" + domain + " : " + path + "] mapped to " + outFile.getPath()); - onRestoreFile(data, size, outFile, type, mode, mtime); - } else { - // Not a supported output location? We need to consume the data - // anyway, so just use the default "copy the data out" implementation - // with a null destination. - if (DEBUG) Log.i(TAG, "[ skipping data from unsupported domain " + domain + "]"); - FullBackup.restoreFile(data, size, type, mode, mtime, null); + String outPath = outFile.getCanonicalPath(); + if (outPath.startsWith(basePath + File.separatorChar)) { + if (DEBUG) Log.i(TAG, "[" + domain + " : " + path + "] mapped to " + outPath); + onRestoreFile(data, size, outFile, type, mode, mtime); + return; + } else { + // Attempt to restore to a path outside the file's nominal domain. + if (DEBUG) { + Log.e(TAG, "Cross-domain restore attempt: " + outPath); + } + } } + + // Not a supported output location, or bad path: we need to consume the data + // anyway, so just use the default "copy the data out" implementation + // with a null destination. + if (DEBUG) Log.i(TAG, "[ skipping file " + path + "]"); + FullBackup.restoreFile(data, size, type, mode, mtime, null); } // ----- Core implementation ----- |