Path Traversal Vulnerability in Content Provider

We found a path traversal vulnerability in DocumentSharingProvider. This affects PSPDFKit for Android versions 2.3.3 – 2.8.0. It is strongly recommended you update to version 2.9.0 to avoid it.

Issue

DocumentSharingProvider is required for the PDF document sharing functionality inside the PSPDFKit PDF framework. The sharing flow saves a processed document into the pspdfkit/sharing subdirectory of the application’s private cache directory. DocumentSharingProvider then exposes that sharing directory to the receiving application with a content URI (typically content://application.package.name.pdf.share/document.pdf). Due to bugs in certain Samsung firmwares, the provider must be exported, even if grantUriPermissions is set to true. We have found there are means to create the content URI in a way that exposes other private application files outside the cache/pspdfkit/sharing directory.

Mitigation

To mitigate the issue on older versions of PSPDFKit, DocumentSharingProvider should be unexported. This will prevent other applications from accessing it. Add an entry to your AndroidManifest.xml for DocumentSharingProvider and set android:exported to false. As a side effect, it may break sharing functionality on some versions of Samsung firmware:

Copy
1
2
3
4
5
        <provider
            android:name="com.pspdfkit.document.sharing.DocumentSharingProvider"
            android:authorities="${applicationId}.pdf.share"
            android:exported="false"
            android:grantUriPermissions="true" />

Fix

The fix was committed on 12 January 2016 (ticket number #9136) and has been released as part of PSPDFKit for Android 2.9.0.