diff options
author | Tom Taylor <tomtaylor@google.com> | 2016-12-06 16:26:14 -0800 |
---|---|---|
committer | Brinly Taylor <brinly@brinly.me> | 2017-03-13 04:58:44 +0000 |
commit | 04b3ef8ed45bf90c7da89935209f0f4375137197 (patch) | |
tree | 38bbef4d68f1600cb764e7b94df1b0a781d7bf5c | |
parent | 695a54573371e0e4199e3fd3454802dc821725f3 (diff) | |
download | android_packages_apps_Messaging-04b3ef8ed45bf90c7da89935209f0f4375137197.tar.gz android_packages_apps_Messaging-04b3ef8ed45bf90c7da89935209f0f4375137197.tar.bz2 android_packages_apps_Messaging-04b3ef8ed45bf90c7da89935209f0f4375137197.zip |
resolve merge conflicts of eafd58a to nyc-dev
Change-Id: I58151ca0c248dd4b84c78c8e7ca73d5a80bbd962
(cherry picked from commit a43c5c5f18d966355a63db194c931e02267a2695)
(cherry picked from commit b5ef5630a7b05676ef9c48d43c3752712cefd814)
mh0rst: Backport from android-7.1.1_r21
-rw-r--r-- | src/com/android/messaging/ui/mediapicker/DocumentImagePicker.java | 13 | ||||
-rw-r--r-- | src/com/android/messaging/util/FileUtil.java | 18 |
2 files changed, 31 insertions, 0 deletions
diff --git a/src/com/android/messaging/ui/mediapicker/DocumentImagePicker.java b/src/com/android/messaging/ui/mediapicker/DocumentImagePicker.java index 2c36752..bb267da 100644 --- a/src/com/android/messaging/ui/mediapicker/DocumentImagePicker.java +++ b/src/com/android/messaging/ui/mediapicker/DocumentImagePicker.java @@ -24,6 +24,8 @@ import android.os.Bundle; import com.android.messaging.Factory; import com.android.messaging.datamodel.data.PendingAttachmentData; import com.android.messaging.ui.UIIntents; +import com.android.messaging.util.LogUtil; +import com.android.messaging.util.FileUtil; import com.android.messaging.util.ImageUtils; import com.android.messaging.util.SafeAsyncTask; @@ -111,12 +113,23 @@ public class DocumentImagePicker { new SafeAsyncTask<Void, Void, String>() { @Override protected String doInBackgroundTimed(final Void... params) { + if (FileUtil.isInPrivateDir(documentUri)) { + // hacker sending private app data. Bail out + if (LogUtil.isLoggable(LogUtil.BUGLE_TAG, LogUtil.ERROR)) { + LogUtil.e(LogUtil.BUGLE_TAG, "Aborting attach of private app data (" + + documentUri + ")"); + } + return null; + } return ImageUtils.getContentType( Factory.get().getApplicationContext().getContentResolver(), documentUri); } @Override protected void onPostExecute(final String contentType) { + if (contentType == null) { + return; // bad uri on input + } // Ask the listener to create a temporary placeholder item to show the progress. final PendingAttachmentData pendingItem = PendingAttachmentData.createPendingAttachmentData(contentType, diff --git a/src/com/android/messaging/util/FileUtil.java b/src/com/android/messaging/util/FileUtil.java index 7c47ae9..f76e4fd 100644 --- a/src/com/android/messaging/util/FileUtil.java +++ b/src/com/android/messaging/util/FileUtil.java @@ -16,7 +16,11 @@ package com.android.messaging.util; +import android.content.ContentResolver; import android.content.Context; +import android.net.Uri; +import android.os.Environment; +import android.text.TextUtils; import android.webkit.MimeTypeMap; import com.android.messaging.Factory; @@ -116,6 +120,20 @@ public class FileUtil { } } + private static boolean isFileUri(final Uri uri) { + return TextUtils.equals(uri.getScheme(), ContentResolver.SCHEME_FILE); + } + // Checks if the file is in /data, and don't allow any app to send personal information. + // We're told it's possible to create world readable hardlinks to other apps private data + // so we ban all /data file uris. + public static boolean isInPrivateDir(Uri uri) { + if (!isFileUri(uri)) { + return false; + } + final File file = new File(uri.getPath()); + return isSameOrSubDirectory(Environment.getDataDirectory(), file); + } + /** * Checks, whether the child directory is the same as, or a sub-directory of the base * directory. |