From a55168330d9326ff2120285763c818733590266a Mon Sep 17 00:00:00 2001
From: Sam Lee <samsmlee@google.com>
Date: Wed, 23 Mar 2016 16:53:20 -0700
Subject: Don't allow cachedFile Attachments if the content Uri is pointing to
 EmailProvider.

This is to backport a security fix reported by b/27308057 and b/27335139.
Also, add Analytics for these errors.

Bug: b/27335139
Change-Id: I75f6d8f5feb9fc611aa2e429e2b22cbd07223ab9
---
 src/com/android/mail/compose/ComposeActivity.java | 20 +++++++++++++++++++-
 1 file changed, 19 insertions(+), 1 deletion(-)

diff --git a/src/com/android/mail/compose/ComposeActivity.java b/src/com/android/mail/compose/ComposeActivity.java
index 36456bf03..2dfac99b9 100644
--- a/src/com/android/mail/compose/ComposeActivity.java
+++ b/src/com/android/mail/compose/ComposeActivity.java
@@ -1912,6 +1912,15 @@ public class ComposeActivity extends ActionBarActivity
         }
     }
 
+    /**
+     * @return the authority of EmailProvider for this app. should be overridden in concrete
+     * app implementations. can't be known here because this project doesn't know about that sort
+     * of thing.
+     */
+    protected String getEmailProviderAuthority() {
+        throw new UnsupportedOperationException("unimplemented, EmailProvider unknown");
+    }
+
     /**
      * Helper function to handle a list of uris to attach.
      * @return the total size of all successfully attached files.
@@ -1921,7 +1930,7 @@ public class ComposeActivity extends ActionBarActivity
         for (Uri uri : uris) {
             try {
                 if (uri != null) {
-                    if ("file".equals(uri.getScheme())) {
+                    if (ContentResolver.SCHEME_FILE.equals(uri.getScheme())) {
                         // We must not allow files from /data, even from our process.
                         final File f = new File(uri.getPath());
                         final String filePath = f.getCanonicalPath();
@@ -1931,7 +1940,16 @@ public class ComposeActivity extends ActionBarActivity
                                   "send_intent_attachment", "data_dir", 0);
                           continue;
                         }
+                    } else if (ContentResolver.SCHEME_CONTENT.equals(uri.getScheme())) {
+                        // disallow attachments from our own EmailProvider (b/27308057)
+                        if (getEmailProviderAuthority().equals(uri.getAuthority())) {
+                            showErrorToast(getString(R.string.attachment_permission_denied));
+                            Analytics.getInstance().sendEvent(ANALYTICS_CATEGORY_ERRORS,
+                                    "send_intent_attachment", "email_provider", 0);
+                            continue;
+                        }
                     }
+
                     if (!handleSpecialAttachmentUri(uri)) {
                         final Attachment a = mAttachmentsView.generateLocalAttachment(uri);
                         attachments.add(a);
-- 
cgit v1.2.3