From: Po Lu Date: Thu, 11 Jul 2024 03:38:41 +0000 (+0800) Subject: Take precautions against ill-formed content URIs X-Git-Url: http://git.eshelyaron.com/gitweb/?a=commitdiff_plain;h=637d3cb0cd20133e5ac4224995e3733eb67cd481;p=emacs.git Take precautions against ill-formed content URIs * java/org/gnu/emacs/EmacsService.java (openContentUri) (checkContentUri): Verify that URIs derived from user-provided file names can be parsed before attempting to open them. (cherry picked from commit e0b271e279ba5b606330908604ac4fa42a389b30) --- diff --git a/java/org/gnu/emacs/EmacsService.java b/java/org/gnu/emacs/EmacsService.java index 77124a7d80f..7afe4c7f82e 100644 --- a/java/org/gnu/emacs/EmacsService.java +++ b/java/org/gnu/emacs/EmacsService.java @@ -987,6 +987,7 @@ public final class EmacsService extends Service String name, mode; ParcelFileDescriptor fd; int i; + Uri uriObject; /* Figure out the file access mode. */ @@ -1001,12 +1002,20 @@ public final class EmacsService extends Service if (truncate) mode += "t"; + /* Decode the URI. It might be possible for a perverse user to + construct a content file name that Android finds unparsable, so + punt if the result is NULL. */ + + uriObject = Uri.parse (uri); + if (uriObject == null) + return -1; + /* Try to open a corresponding ParcelFileDescriptor. Though `fd.detachFd' is exclusive to Honeycomb and up, this function is never called on systems older than KitKat, which is Emacs's minimum requirement for access to /content/by-authority. */ - fd = resolver.openFileDescriptor (Uri.parse (uri), mode); + fd = resolver.openFileDescriptor (uriObject, mode); if (fd == null) return -1; @@ -1027,7 +1036,14 @@ public final class EmacsService extends Service Uri uri; int rc, flags; + /* Decode the URI. It might be possible that perverse user should + construct a content file name that Android finds unparsable, so + punt if the result is NULL. */ + uri = Uri.parse (name); + if (uri == null) + return false; + flags = 0; if (readable)