From 5e9de4447c95cd9ed332ec012b4d73ad7a8ef8b2 Mon Sep 17 00:00:00 2001
From: Vincent Breitmoser <valodim@mugenguild.com>
Date: Fri, 6 May 2016 12:54:35 +0200
Subject: external-provider: only allow permission check for caller package
 names

---
 .../keychain/remote/KeychainExternalProvider.java  | 32 +++++++++++++++++-----
 1 file changed, 25 insertions(+), 7 deletions(-)

(limited to 'OpenKeychain/src/main/java/org/sufficientlysecure/keychain/remote/KeychainExternalProvider.java')

diff --git a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/remote/KeychainExternalProvider.java b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/remote/KeychainExternalProvider.java
index 7eb5d558f..455857f00 100644
--- a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/remote/KeychainExternalProvider.java
+++ b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/remote/KeychainExternalProvider.java
@@ -24,12 +24,14 @@ import java.util.HashMap;
 
 import android.content.ContentProvider;
 import android.content.ContentValues;
+import android.content.Context;
 import android.content.UriMatcher;
 import android.database.Cursor;
 import android.database.DatabaseUtils;
 import android.database.sqlite.SQLiteDatabase;
 import android.database.sqlite.SQLiteQueryBuilder;
 import android.net.Uri;
+import android.os.Binder;
 import android.support.annotation.NonNull;
 import android.text.TextUtils;
 
@@ -206,16 +208,13 @@ public class KeychainExternalProvider extends ContentProvider implements SimpleC
                 break;
             }
 
-            case API_APPS: {
-                qb.setTables(Tables.API_APPS);
-
-                break;
-            }
-
             case API_APPS_BY_PACKAGE_NAME: {
+                String requestedPackageName = uri.getLastPathSegment();
+                checkIfPackageBelongsToCaller(getContext(), requestedPackageName);
+
                 qb.setTables(Tables.API_APPS);
                 qb.appendWhere(ApiApps.PACKAGE_NAME + " = ");
-                qb.appendWhereEscapeString(uri.getLastPathSegment());
+                qb.appendWhereEscapeString(requestedPackageName);
 
                 break;
             }
@@ -248,6 +247,25 @@ public class KeychainExternalProvider extends ContentProvider implements SimpleC
         return cursor;
     }
 
+    private void checkIfPackageBelongsToCaller(Context context, String requestedPackageName) {
+        int callerUid = Binder.getCallingUid();
+        String[] callerPackageNames = context.getPackageManager().getPackagesForUid(callerUid);
+        if (callerPackageNames == null) {
+            throw new IllegalStateException("Failed to retrieve caller package name, this is an error!");
+        }
+
+        boolean packageBelongsToCaller = false;
+        for (String p : callerPackageNames) {
+            if (p.equals(requestedPackageName)) {
+                packageBelongsToCaller = true;
+                break;
+            }
+        }
+        if (!packageBelongsToCaller) {
+            throw new SecurityException("ExternalProvider may only check status of caller package!");
+        }
+    }
+
     @Override
     public Uri insert(@NonNull Uri uri, ContentValues values) {
         throw new UnsupportedOperationException();
-- 
cgit v1.2.3