IDOR vulnerability

[WebSabaki]

Hi.

The LocalFileProvider provider is vulnerable to IDOR and to path transveral https://support.google.com/faqs/answer/7496913?hl=en.

Any reason to export it totally? If not, then please don't.

I would go with "yes" then I would add 2 security checks: a.1) force the grantUriPermission and make it exported=false a.2) grant the Uri during sendAction

b) I would still canonical check it (as per above)

 File f = new File(DIR, uri.getLastPathSegment());
 if (!f.getCanonicalPath().startsWith(DIR)) {
   throw new IllegalArgumentException();
 }

[JohnLines]

This does have to be exported, have canonical checked within LocalFileProvider

Fixed in release 0.2.6