From: DoHyun Pyun <dh79.pyun@samsung.com>
Date: Mon, 13 Apr 2020 06:31:25 +0000 (+0900)
Subject: Modify the default download path for security
X-Git-Tag: accepted/tizen/unified/20200423.054503^0
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=db31a02c01aa6e96c230a30b5eb8c3cf78a4026e;p=platform%2Fcore%2Fconnectivity%2Fbluetooth-share.git

Modify the default download path for security

It is possible to modify the information for the
downaloded files via bluetooth by any apps.
To prevent this security issue this patchset sets
the default path as the secure area, and moves
media files to media download folder.

Change-Id: I2d64c7188171446dedba4b8395f6fcde28f4530e
Signed-off-by: DoHyun Pyun <dh79.pyun@samsung.com>
---

diff --git a/bt-share/include/bt-share-common.h b/bt-share/include/bt-share-common.h
index 90e38d1..e3f2aae 100644
--- a/bt-share/include/bt-share-common.h
+++ b/bt-share/include/bt-share-common.h
@@ -25,6 +25,7 @@ extern "C" {
 #endif
 
 #include <glib.h>
+#include <tzplatform_config.h>
 
 /* Define Error type */
 #define BT_SHARE_FAIL -1
@@ -59,6 +60,8 @@ extern "C" {
 #define HTML_FORMAT "<html><head><meta http-equiv=\"Content-Type\" content=\"text/html;charset=UTF-8\"/></head><body><a href=\"%s\">%s</a></body></html>"
 #define BT_CONTACT_SHARE_TMP_DIR "/opt/usr/home/owner/media/Downloads/"
 
+#define BT_SHARE_DATA_DIR tzplatform_mkpath(TZ_SYS_GLOBALUSER_DATA, "bluetooth-share")
+
 typedef enum {
 	BT_HTTP_FILE,
 	BT_TXT_FILE,
diff --git a/bt-share/src/bt-share-main.c b/bt-share/src/bt-share-main.c
index 00851da..65bb335 100644
--- a/bt-share/src/bt-share-main.c
+++ b/bt-share/src/bt-share-main.c
@@ -367,14 +367,11 @@ static gboolean __bt_dbus_request_name(void)
 
 int _bt_init_obex_server(void)
 {
-	char storage[STORAGE_PATH_LEN_MAX] = {0, };
-
-	_bt_get_default_storage(storage);
-	retvm_if(bluetooth_obex_server_init(storage) != BLUETOOTH_ERROR_NONE,
+	retvm_if(bluetooth_obex_server_init(BT_SHARE_DATA_DIR) != BLUETOOTH_ERROR_NONE,
 			BT_SHARE_FAIL, "Fail to init obex server");
 
 	/* LCOV_EXCL_START */
-	bluetooth_obex_server_set_root(BT_FTP_FOLDER);
+	bluetooth_obex_server_set_root(BT_SHARE_DATA_DIR);
 
 	return BT_SHARE_ERROR_NONE;
 	/* LCOV_EXCL_STOP */
diff --git a/bt-share/src/obex-event-handler.c b/bt-share/src/obex-event-handler.c
index e47952b..5669fcc 100644
--- a/bt-share/src/obex-event-handler.c
+++ b/bt-share/src/obex-event-handler.c
@@ -322,6 +322,29 @@ static gboolean __bt_scan_media_file(char *file_path)
 
 	return TRUE;
 }
+
+static void __bt_move_media_file(char *file_path)
+{
+	char storage[STORAGE_PATH_LEN_MAX] = {0, };
+	char media_file_path[BT_FILE_PATH_LEN_MAX] = {0, };
+
+	retm_if(!file_path, "invalid param!");
+
+	INFO("File path: %s", file_path);
+
+	_bt_get_default_storage(storage);
+
+	retm_if(!BT_SHARE_DATA_DIR, "DATA dir is NULL");
+
+	snprintf(media_file_path, BT_FILE_PATH_LEN_MAX, "%s/%s",
+		storage, file_path + strlen(BT_SHARE_DATA_DIR));
+
+	INFO("Media file path: %s", media_file_path);
+
+	ecore_file_mv(file_path, media_file_path);
+
+	__bt_scan_media_file(media_file_path);
+}
 /* LCOV_EXCL_STOP */
 
 /* LCOV_EXCL_START */
@@ -1271,6 +1294,12 @@ done:
 					file_type != BT_FILE_VCARD) {
 				if (file_type != BT_FILE_VCAL)
 					__bt_scan_media_file(name);
+
+				if (file_type != BT_FILE_VCARD)
+					__bt_move_media_file(name);
+				else
+					ecore_file_remove(name);
+
 				g_free(name);
 				break;
 			}
@@ -1638,13 +1667,14 @@ static gboolean __bt_save_v_object(char *file_path,
 /* LCOV_EXCL_START */
 static void *__bt_obex_writeclose(bt_file_info_t *info)
 {
-	if (__bt_save_v_object(info->file_path, info->file_type) == FALSE) {
-		ERR("Unable to save vObject");
-		__bt_scan_media_file(info->file_path);
-	}
+	if (info->file_type == BT_FILE_VCAL || info->file_type == BT_FILE_VCARD) {
+		if (__bt_save_v_object(info->file_path, info->file_type) == FALSE)
+			ERR("Unable to save vObject");
 
-	if (info->file_type == BT_FILE_VCAL || info->file_type == BT_FILE_VCARD)
 		ecore_file_remove(info->file_path);
+	} else {
+		__bt_move_media_file(info->file_path);
+	}
 
 	__free_file_info(info);
 
diff --git a/packaging/bluetooth-share.spec b/packaging/bluetooth-share.spec
index 5caf1b7..d460f38 100644
--- a/packaging/bluetooth-share.spec
+++ b/packaging/bluetooth-share.spec
@@ -138,6 +138,7 @@ mkdir -p %{_libdir}/systemd/system/multi-user.target.wants/
 %files
 %manifest %{name}.manifest
 %license LICENSE
+%attr(755, network_fw, network_fw)%{TZ_COMM_DATA}/%{name}
 %defattr(-,root,root,-)
 %{_bindir}/bluetooth-share
 #%{_datadir}/dbus-1/system-services/org.bluetooth.share.service