validate_path should only reject sudirs named ".."

Subdirs contaning ".." in the dir name should be valid e.g. "example..com" Bug: 361246509 Test: atest installd_utils_test Flag: EXEMPT bug fix Change-Id: I1896cde831c20289490187dc1b45c04461e5d849
author: William Loh <wloh@google.com> 2024-08-27 17:23:51 +0000
committer: William Loh <wloh@google.com> 2024-08-27 22:08:20 +0000
commit: 43d38c58af25c739cdcbfb3b46c412a564991d73 (patch)
tree: 7fa19f7af02257e1a22e590286c37b12488e6428
parent: 268f495f2d4e9fd2b72b47d8bb91a492427bd723 (diff)
2 files changed, 17 insertions, 9 deletions
diff --git a/cmds/installd/tests/installd_utils_test.cpp b/cmds/installd/tests/installd_utils_test.cpp
index 910cd630f3..19201b2c89 100644
--- a/cmds/installd/tests/installd_utils_test.cpp
+++ b/cmds/installd/tests/installd_utils_test.cpp
@@ -101,6 +101,9 @@ TEST_F(UtilsTest, IsValidApkPath_Internal) {
     EXPECT_EQ(0, validate_apk_path(path2))
             << path2 << " should be allowed as a valid path";
 
+    const char* path3 = TEST_APP_DIR "..example..com../example.apk";
+    EXPECT_EQ(0, validate_apk_path(path3)) << path3 << " should be allowed as a valid path";
+
     const char *badint1 = TEST_APP_DIR "../example.apk";
     EXPECT_EQ(-1, validate_apk_path(badint1))
             << badint1 << " should be rejected as a invalid path";
diff --git a/cmds/installd/utils.cpp b/cmds/installd/utils.cpp
index ffc082d5b2..b05c655517 100644
--- a/cmds/installd/utils.cpp
+++ b/cmds/installd/utils.cpp
@@ -1040,25 +1040,30 @@ static int validate_path(const std::string& dir, const std::string& path, int ma
         LOG(ERROR) << "Invalid directory " << dir;
         return -1;
     }
-    if (path.find("..") != std::string::npos) {
-        LOG(ERROR) << "Invalid path " << path;
-        return -1;
-    }
 
     if (path.compare(0, dir.size(), dir) != 0) {
         // Common case, path isn't under directory
         return -1;
     }
 
-    // Count number of subdirectories
-    auto pos = path.find('/', dir.size());
+    // Count number of subdirectories and invalidate ".." subdirectories
+    auto last = dir.size();
+    auto pos = path.find('/', last);
     int count = 0;
     while (pos != std::string::npos) {
-        auto next = path.find('/', pos + 1);
-        if (next > pos + 1) {
+        if (pos > last + 1) {
             count++;
         }
-        pos = next;
+        if (path.substr(last, pos - last) == "..") {
+            LOG(ERROR) << "Invalid path " << path;
+            return -1;
+        }
+        last = pos + 1;
+        pos = path.find('/', last);
+    }
+    if (path.substr(last, path.size() - last) == "..") {
+        LOG(ERROR) << "Invalid path " << path;
+        return -1;
     }
 
     if (count > maxSubdirs) {
author	William Loh <wloh@google.com>	2024-08-27 17:23:51 +0000
committer	William Loh <wloh@google.com>	2024-08-27 22:08:20 +0000
commit	43d38c58af25c739cdcbfb3b46c412a564991d73 (patch)
tree	7fa19f7af02257e1a22e590286c37b12488e6428
parent	268f495f2d4e9fd2b72b47d8bb91a492427bd723 (diff)