gaoyang3513/SDK_RK3288
Template
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

[packages/apps/Bluetooth] DO NOT MERGE Fix security vulnerabilities in permission of deleting MMS/SMS

Browse Source 
This CL adds permission check to avoid unauthorized deletion of any MMS/SMS
messages in BluetoothMapContentObserver.actionMessageSentDisconnected
function.

Bug: 22343270
Change-Id: I30254036309733be4d54db17a8ef17a571cd1c5a
This commit is contained in:
Firefly
2015-07-20 12:14:25 -07:00
committed by djw
parent 937e123f6c
commit b5012c5b63
1 changed files with 14 additions and 80 deletions
Download Patch File Download Diff File Expand all files Collapse all files

94
packages/apps/Bluetooth/src/com/android/bluetooth/map/BluetoothMapContentObserver.java
View File

@ -34,6 +34,7 @@ import javax.obex.ResponseCodes;
import org.xmlpull.v1.XmlSerializer;
import android.Manifest;
import android.app.Activity;
import android.app.PendingIntent;
import android.content.BroadcastReceiver;
@ -45,13 +46,16 @@ import android.content.Context;
import android.content.Intent;
import android.content.IntentFilter;
import android.content.IntentFilter.MalformedMimeTypeException;
import android.content.pm.PackageManager;
import android.database.ContentObserver;
import android.database.Cursor;
import android.net.Uri;
import android.os.Build;
import android.os.Binder;
import android.os.Handler;
import android.os.Message;
import android.os.ParcelFileDescriptor;
import android.os.Process;
import android.os.RemoteException;
import android.provider.BaseColumns;
import com.android.bluetooth.mapapi.BluetoothMapContract;
@ -1704,9 +1708,6 @@ public class BluetoothMapContentObserver {
IntentFilter intentFilter = new IntentFilter();
intentFilter.addAction(ACTION_MESSAGE_DELIVERY);
/* The reception of ACTION_MESSAGE_SENT have been moved to the MAP
* service, to be able to handle message sent events after a disconnect. */
//intentFilter.addAction(ACTION_MESSAGE_SENT);
try{
intentFilter.addDataType("message/*");
} catch (MalformedMimeTypeException e) {
@ -1737,20 +1738,7 @@ public class BluetoothMapContentObserver {
return;
}
if (action.equals(ACTION_MESSAGE_SENT)) {
int result = intent.getIntExtra(EXTRA_MESSAGE_SENT_RESULT, Activity.RESULT_CANCELED);
msgInfo.partsSent++;
if(result != Activity.RESULT_OK) {
// If just one of the parts in the message fails, we need to send the entire message again
msgInfo.failedSent = true;
}
if(D) Log.d(TAG, "onReceive: msgInfo.partsSent = " + msgInfo.partsSent
+ ", msgInfo.parts = " + msgInfo.parts + " result = " + result);
if (msgInfo.partsSent == msgInfo.parts) {
actionMessageSent(context, intent, msgInfo);
}
} else if (action.equals(ACTION_MESSAGE_DELIVERY)) {
if (action.equals(ACTION_MESSAGE_DELIVERY)) {
long timestamp = intent.getLongExtra(EXTRA_MESSAGE_SENT_TIMESTAMP, 0);
int status = -1;
if(msgInfo.timestamp == timestamp) {
@ -1776,67 +1764,6 @@ public class BluetoothMapContentObserver {
}
}
private void actionMessageSent(Context context, Intent intent, PushMsgInfo msgInfo) {
/* As the MESSAGE_SENT intent is forwarded from the MAP service, we use the intent
* to carry the result, as getResult() will not return the correct value.
*/
boolean delete = false;
if(D) Log.d(TAG,"actionMessageSent(): msgInfo.failedSent = " + msgInfo.failedSent);
msgInfo.sendInProgress = false;
if (msgInfo.failedSent == false) {
if(D) Log.d(TAG, "actionMessageSent: result OK");
if (msgInfo.transparent == 0) {
if (!Sms.moveMessageToFolder(context, msgInfo.uri,
Sms.MESSAGE_TYPE_SENT, 0)) {
Log.w(TAG, "Failed to move " + msgInfo.uri + " to SENT");
}
} else {
delete = true;
}
Event evt = new Event(EVENT_TYPE_SENDING_SUCCESS, msgInfo.id,
folderSms[Sms.MESSAGE_TYPE_SENT], null, mSmsType);
sendEvent(evt);
} else {
if (msgInfo.retry == 1) {
/* Notify failure, but keep message in outbox for resending */
msgInfo.resend = true;
msgInfo.partsSent = 0; // Reset counter for the retry
msgInfo.failedSent = false;
Event evt = new Event(EVENT_TYPE_SENDING_FAILURE, msgInfo.id,
folderSms[Sms.MESSAGE_TYPE_OUTBOX], null, mSmsType);
sendEvent(evt);
} else {
if (msgInfo.transparent == 0) {
if (!Sms.moveMessageToFolder(context, msgInfo.uri,
Sms.MESSAGE_TYPE_FAILED, 0)) {
Log.w(TAG, "Failed to move " + msgInfo.uri + " to FAILED");
}
} else {
delete = true;
}
Event evt = new Event(EVENT_TYPE_SENDING_FAILURE, msgInfo.id,
folderSms[Sms.MESSAGE_TYPE_FAILED], null, mSmsType);
sendEvent(evt);
}
}
if (delete == true) {
/* Delete from Observer message list to avoid delete notifications */
synchronized(mMsgListSms) {
mMsgListSms.remove(msgInfo.id);
}
/* Delete from DB */
mResolver.delete(msgInfo.uri, null, null);
}
}
private void actionMessageDelivery(Context context, Intent intent, PushMsgInfo msgInfo) {
Uri messageUri = intent.getData();
msgInfo.sendInProgress = false;
@ -1878,6 +1805,13 @@ public class BluetoothMapContentObserver {
}
static public void actionMessageSentDisconnected(Context context, Intent intent, int result) {
/* Check permission for message deletion. */
if (context.checkCallingOrSelfPermission(android.Manifest.permission.WRITE_SMS)
!= PackageManager.PERMISSION_GRANTED) {
Log.w(TAG, "actionMessageSentDisconnected: Not allowed to delete SMS/MMS messages");
return;
}
boolean delete = false;
//int retry = intent.getIntExtra(EXTRA_MESSAGE_SENT_RETRY, 0);
int transparent = intent.getIntExtra(EXTRA_MESSAGE_SENT_TRANSPARENT, 0);
@ -1914,10 +1848,10 @@ public class BluetoothMapContentObserver {
}
}
if (delete == true) {
if (delete) {
/* Delete from DB */
ContentResolver resolver = context.getContentResolver();
if(resolver != null) {
if (resolver != null) {
resolver.delete(uri, null, null);
} else {
Log.w(TAG, "Unable to get resolver");