From 7bc601d5d7c4586c62ca72e3a9ac4dba1c0c2707 Mon Sep 17 00:00:00 2001
From: Jeff Vander Stoep <jeffv@google.com>
Date: Mon, 22 Sep 2014 15:15:58 -0700
Subject: [PATCH] Sanity-check paths of files to be restored

(cherry picked from commit 7d51cc701a6735cf455af8479f56c9c0b2109e02)
Bug: 16298491
Change-Id: I0c2d6523c9d152dad4d27d06d3853afd432e5af7
---
 .../java/com/android/server/BackupManagerService.java     | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/services/java/com/android/server/BackupManagerService.java b/services/java/com/android/server/BackupManagerService.java
index a537e99dfa983..2c88c3254d2de 100644
--- a/services/java/com/android/server/BackupManagerService.java
+++ b/services/java/com/android/server/BackupManagerService.java
@@ -3390,6 +3390,14 @@ class BackupManagerService extends IBackupManager.Stub {
                                 break;
                         }
 
+                        // The path needs to be canonical
+                        if (info.path.contains("..") || info.path.contains("//")) {
+                            if (MORE_DEBUG) {
+                                Slog.w(TAG, "Dropping invalid path " + info.path);
+                            }
+                            okay = false;
+                        }
+
                         // If the policy is satisfied, go ahead and set up to pipe the
                         // data to the agent.
                         if (DEBUG && okay && mAgent != null) {