summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorEkin Oguz <ekinoguz@google.com>2018-01-29 21:07:34 (GMT)
committerTim Schumacher <timschumi@gmx.de>2018-04-06 20:30:48 (GMT)
commit605ad24f835b6ba23ef5ec74255cbedb841827bd (patch)
treec8cc356419e5dc62d28acc25ef261eb0e1e47438
parentd57d1bc51235f443edfd0f98548026e8c164c2a6 (diff)
downloadandroid_packages_apps_UnifiedEmail-cm-13.0.zip
android_packages_apps_UnifiedEmail-cm-13.0.tar.gz
android_packages_apps_UnifiedEmail-cm-13.0.tar.bz2
Disallow attaching files from our own EmailAttachmentProvider.HEADreplicant-6.0-0004-rc1cm-13.0
This is to backport a security fix reported in b/71814449 and b/72569023. Fix is using the same approach as b/27308057, which is to prevent Compose from accepting URIs with our own email attachment provider. Bug: b/71814449 Change-Id: Idcc002b94bcea913383b54bcf1dc5c3e1d254ded (cherry picked from commit 44a5db2dc0ace4d360699c11c27d5c10b43ad628)
-rw-r--r--src/com/android/mail/compose/ComposeActivity.java13
1 files changed, 12 insertions, 1 deletions
diff --git a/src/com/android/mail/compose/ComposeActivity.java b/src/com/android/mail/compose/ComposeActivity.java
index 5f125ab..489f6d8 100644
--- a/src/com/android/mail/compose/ComposeActivity.java
+++ b/src/com/android/mail/compose/ComposeActivity.java
@@ -1922,6 +1922,15 @@ public class ComposeActivity extends ActionBarActivity
}
/**
+ * @return the authority of EmailAttachmentProvider for this app. should be overridden in
+ * concrete app implementations. can't be known here because this project doesn't know about
+ * that sort of thing.
+ */
+ protected String getEmailAttachmentProviderAuthority() {
+ throw new UnsupportedOperationException("unimplemented, EmailAttachmentProvider unknown");
+ }
+
+ /**
* Helper function to handle a list of uris to attach.
* @return the total size of all successfully attached files.
*/
@@ -1942,7 +1951,9 @@ public class ComposeActivity extends ActionBarActivity
}
} else if (ContentResolver.SCHEME_CONTENT.equals(uri.getScheme())) {
// disallow attachments from our own EmailProvider (b/27308057)
- if (getEmailProviderAuthority().equals(uri.getAuthority())) {
+ if (getEmailProviderAuthority().equals(uri.getAuthority())
+ || getEmailAttachmentProviderAuthority().equals(
+ uri.getAuthority())) {
showErrorToast(getString(R.string.attachment_permission_denied));
Analytics.getInstance().sendEvent(ANALYTICS_CATEGORY_ERRORS,
"send_intent_attachment", "email_provider", 0);