Validate MTP path
Bug: 17673184
Change-Id: I51a64f065d9b3609557af81e596ebeb8720ab6c5
diff --git a/media/java/android/mtp/MtpDatabase.java b/media/java/android/mtp/MtpDatabase.java
index fce3fd0..1921f47 100755
--- a/media/java/android/mtp/MtpDatabase.java
+++ b/media/java/android/mtp/MtpDatabase.java
@@ -39,6 +39,7 @@
import android.view.WindowManager;
import java.io.File;
+import java.io.IOException;
import java.util.HashMap;
import java.util.Locale;
@@ -300,8 +301,27 @@
return false;
}
+ // returns true if the path is in the storage root
+ private boolean inStorageRoot(String path) {
+ try {
+ File f = new File(path);
+ String canonical = f.getCanonicalPath();
+ if (canonical.startsWith(mMediaStoragePath)) {
+ return true;
+ }
+ } catch (IOException e) {
+ // ignore
+ }
+ return false;
+ }
+
private int beginSendObject(String path, int format, int parent,
int storageId, long size, long modified) {
+ // if the path is outside of the storage root, do not allow access
+ if (!inStorageRoot(path)) {
+ Log.e(TAG, "attempt to put file outside of storage area: " + path);
+ return -1;
+ }
// if mSubDirectories is not null, do not allow copying files to any other locations
if (!inStorageSubDirectory(path)) return -1;