Path Traversal Vulnerability in Content Provider versions 2.3.3 – 2.8.0
We found a path traversal vulnerability in DocumentSharingProvider
. This affects PSPDFKit for Android versions 2.3.3 – 2.8.0. It is strongly recommended you update to version 2.9.0 to avoid it.
Issue
DocumentSharingProvider
is required for the PDF document sharing functionality inside the PSPDFKit PDF framework. The sharing flow saves a processed document into the pspdfkit/sharing
subdirectory of the application’s private cache directory. DocumentSharingProvider
then exposes that sharing directory to the receiving application with a content URI (typically content://application.package.name.pdf.share/document.pdf
). Due to bugs in certain Samsung firmware, the provider must be exported, even if grantUriPermissions
is set to true
.
We have found there are means to create the content URI in a way that exposes other private application files outside the cache/pspdfkit/sharing
directory.
Mitigation
To mitigate the issue on older versions of PSPDFKit, DocumentSharingProvider
should be unexported. This will prevent other applications from accessing it. Add an entry to your AndroidManifest.xml
for DocumentSharingProvider
and set android:exported
to false
. As a side effect, it may break sharing functionality on some versions of Samsung firmware:
<provider android:name="com.pspdfkit.document.sharing.DocumentSharingProvider" android:authorities="${applicationId}.pdf.share" android:exported="false" android:grantUriPermissions="true" />
Fix
The fix was committed on 12 January 2016 (ticket number #9136) and was released as part of PSPDFKit for Android 2.9.0.