Your app(s) are using a content provider with an unsafe implementation of openFile

前端 未结 2 1907
Happy的楠姐
Happy的楠姐 2021-02-14 13:52

I\'ve received this email after publishing my app on playstore:

Hello Google Play Developer,

We reviewed [MyAppName], with package name com.example.myappname, an

2条回答
  •  爱一瞬间的悲伤
    2021-02-14 14:08

    They actually provide one with all one needs to know; see support.google.com:

    Implementations of openFile in exported ContentProviders can be vulnerable if they do not properly validate incoming Uri parameters. A malicious app can supply a crafted Uri (for example, one that contains “/../”) to trick your app into returning a ParcelFileDescriptor for a file outside of the intended directory, thereby allowing the malicious app to access any file accessible to your app.

    The FileProvider must reject any Uri containing .. ...which are deemed "exploitable".

提交回复
热议问题