commit 0660244119243928a69e5f21ef5ea339c7f6d008
author Christopher Tate <ctate@google.com> Thu Aug 07 20:57:59 2014 +0000
committer Android (Google) Code Review <android-gerrit@google.com> Thu Aug 07 15:00:45 2014 +0000
tree 903bb725d4767fcdd59737656f66433a62d426e0
parent f9b4c2cc6ffbcb21f8e9b015ed3bdab0501bdf65
parent cce476034388383a6006555a225e2170f3b4dcd9

Merge "Sanity-check paths of files to be restored" into lmp-dev

services/backup/java/com/android/server/backup/BackupManagerService.java

diff --git a/services/backup/java/com/android/server/backup/BackupManagerService.java b/services/backup/java/com/android/server/backup/BackupManagerService.java
index 59aef32..77b14ac 100644
--- a/services/backup/java/com/android/server/backup/BackupManagerService.java
+++ b/services/backup/java/com/android/server/backup/BackupManagerService.java
@@ -5129,6 +5129,14 @@
                 }
             }
 
+            // The path needs to be canonical
+            if (info.path.contains("..") || info.path.contains("//")) {
+                if (MORE_DEBUG) {
+                    Slog.w(TAG, "Dropping invalid path " + info.path);
+                }
+                return false;
+            }
+
             // Otherwise we think this file is good to go
             return true;
         }
@@ -5680,6 +5688,14 @@
                                 break;
                         }
 
+                        // The path needs to be canonical
+                        if (info.path.contains("..") || info.path.contains("//")) {
+                            if (MORE_DEBUG) {
+                                Slog.w(TAG, "Dropping invalid path " + info.path);
+                            }
+                            okay = false;
+                        }
+
                         // If the policy is satisfied, go ahead and set up to pipe the
                         // data to the agent.
                         if (DEBUG && okay && mAgent != null) {