So I was publishing my newest game and I received this alert in my google play console:
Security alert Your app is using a content provider with an unsafe implementation of openFile. Please see this Google Help Center article for details. Vulnerable classes: com.ansca.corona.storage.FileContentProvider Please fix the issue before: 02/06/2018
Apparently there is some new policy google is going to be implementing in Jan 18 regarding openFile.
The only openFile I use is to load my settings/highscore file. Which is done via a loadSave.lua file which I copied from here.
Once I clicked on the google help center this is what I recieved:
Path Traversal Vulnerability This information is intended for developers with app(s) that contain the Path Traversal Vulnerability. What’s happening Beginning January 16th, 2018, Google Play will block publishing of any new apps or updates which contain the Path traversal Vulnerability. Your published APK version will remain unaffected, however any updates to the app will be blocked unless you address this vulnerability. Action required Implementations of openFile in exported ContentProviders can be vulnerable if they do not properly validate incoming Uri parameters. A malicious app can supply a crafted Uri (for example, one that contains “/../”) to trick your app into returning a ParcelFileDescriptor for a file outside of the intended directory, thereby allowing the malicious app to access any file accessible to your app. There are two recommended strategies for eliminating a Path Traversal Vulnerability in a ContentProvider. 1. If your ContentProvider does not need to be exposed to other apps: You can modify the \<provider\> tag of the affected ContentProvider in your Manifest to set android:exported=”false”. This will prevent other apps from sending Intents to the affected ContentProvider. You can also set the android:permission attribute to be a permission with android:protectionLevel=“signature” to prevent apps written by other developers from sending Intents to the affected ContentProvider. 2. If your ContentProvider needs to be exposed to other apps: You must correctly ensure that inputs to openFile that contain path traversal characters cannot cause your app to return unexpected files. You can do this by checking the file’s canonical path. For example: public ParcelFileDescriptor openFile (Uri uri, String mode) throws FileNotFoundException { File f = new File(DIR, uri.getLastPathSegment()); if (!f.getCanonicalPath().startsWith(DIR)) { throw new IllegalArgumentException(); } return ParcelFileDescriptor.open(f, ParcelFileDescriptor.MODE\_READ\_ONLY); } Caveats: Note that calling getLastPathSegment on the Uri parameter is not safe. A malicious app can supply an encoded Uri path like %2F..%2F..path%2Fto%2Fsecret.txt so the result of getLastPathSegment will be /../../path/to/secret.txt. For example, the following implementation is still vulnerable to attack. public ParcelFileDescriptor openFile(Uri uri, String mode){ File f = new File(DIR, uri.getLastPathSegment()); return ParcelFileDescriptor.open(f, ParcelFileDescriptor.MODE\_READ\_ONLY); } Next steps Update your app using the strategies listed above. Sign in to your Play Console and submit the updated version of your app. Check back after five hours; we’ll show a warning message if the app hasn’t been updated correctly.
Since we let corona do so much with its API and the LUA we use… I don’t really understand this fix described.
Anyone know how to fix this, or is this something corona devs will have to fix?
