Patch URI vulnerability in contact photo editingreplicant-6.0-0004-transition replicant-6.0-0004-rc6 replicant-6.0-0004-rc5-transition replicant-6.0-0004-rc5 replicant-6.0-0004-rc4 replicant-6.0-0004 replicant-6.0

Don't allow reading of "file://" URIs that don't point to "/storage" during the photo saving flow. This is to prevent malicious apps from asking us to read our own private files which we copy into a temporary "content://" URI that we give to a cropping app (with permission to read). Fixing here patches both PhotoSelectionHandler.java and AttachPhotoActivity.java. Tested: Manual with the fake gallery app. Confirmed that selecting an "image" with a URI of our own shared_pref file fails without reading it. ContactPhotoUtilsTest Bug: 113597344 Change-Id: Iabb4f8139cedb7d7b865d69a4b95a4997f64c71d (cherry picked from commit ccfd94b965c1e9c2e0b239c12137c239c602070d) CVE-2018-9587
author: Gary Mai <garymai@google.com> 2018-09-05 15:17:41 -0700
committer: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org> 2020-12-01 02:40:38 +0100
commit: b1bc0971a86f6455046f2f6143b231f8818822fe (patch)
tree: 1edcfb3a0a19089f48ebeff146fac39ef90925b6
parent: 1e2ad0157e708d06728ef575aa556c1e0455d278 (diff)
download: packages_apps_Contacts-replicant-6.0.tar.gz
packages_apps_Contacts-replicant-6.0.tar.bz2
packages_apps_Contacts-replicant-6.0.zip
2 files changed, 67 insertions, 3 deletions
diff --git a/src/com/android/contacts/util/ContactPhotoUtils.java b/src/com/android/contacts/util/ContactPhotoUtils.java
index 01f8267b6..c385cbd46 100644
--- a/src/com/android/contacts/util/ContactPhotoUtils.java
+++ b/src/com/android/contacts/util/ContactPhotoUtils.java
@@ -18,6 +18,7 @@
 package com.android.contacts.util;
 
 import android.content.ClipData;
+import android.content.ContentResolver;
 import android.content.Context;
 import android.content.Intent;
 import android.graphics.Bitmap;
@@ -27,10 +28,8 @@ import android.os.Environment;
 import android.provider.MediaStore;
 import android.support.v4.content.FileProvider;
 import android.util.Log;
-
 import com.android.contacts.R;
 import com.google.common.io.Closeables;
-
 import java.io.ByteArrayOutputStream;
 import java.io.File;
 import java.io.FileNotFoundException;
@@ -148,7 +147,7 @@ public class ContactPhotoUtils {
      */
     public static boolean savePhotoFromUriToUri(Context context, Uri inputUri, Uri outputUri,
             boolean deleteAfterSave) {
-        if (inputUri == null || outputUri == null) {
+        if (inputUri == null || outputUri == null || isFilePathAndNotStorage(inputUri)) {
             return false;
         }
         FileOutputStream outputStream = null;
@@ -179,4 +178,20 @@ public class ContactPhotoUtils {
         }
         return true;
     }
+
+    /**
+     * Returns {@code true} if the {@code inputUri} is a FILE scheme and it does not point to
+     * the storage directory.
+     */
+    private static boolean isFilePathAndNotStorage(Uri inputUri) {
+        if (ContentResolver.SCHEME_FILE.equals(inputUri.getScheme())) {
+            try {
+                File file = new File(inputUri.getPath()).getCanonicalFile();
+                return !file.getCanonicalPath().startsWith("/storage/");
+            } catch (IOException e) {
+                return false;
+            }
+        }
+        return false;
+    }
 }
diff --git a/tests/src/com/android/contacts/util/ContactPhotoUtilsTest.java b/tests/src/com/android/contacts/util/ContactPhotoUtilsTest.java
new file mode 100644
index 000000000..d17b98c2d
--- /dev/null
+++ b/tests/src/com/android/contacts/util/ContactPhotoUtilsTest.java
@@ -0,0 +1,49 @@
+package com.android.contacts.util;
+
+import android.net.Uri;
+import android.test.AndroidTestCase;
+import android.test.suitebuilder.annotation.SmallTest;
+
+/**
+ * Test cases for {@link ContactPhotoUtils}.
+ *
+ * adb shell am instrument -w -e class com.android.contacts.util.ContactPhotoUtilsTest \
+ *   com.android.contacts.tests/android.test.InstrumentationTestRunner
+ */
+@SmallTest
+public class ContactPhotoUtilsTest extends AndroidTestCase {
+
+  private Uri tempUri;
+
+  @Override
+  protected void setUp() throws Exception {
+    tempUri = ContactPhotoUtils.generateTempImageUri(getContext());
+  }
+
+  protected void tearDown() throws Exception {
+    getContext().getContentResolver().delete(tempUri, null, null);
+  }
+
+  public void testFileUriDataPathFails() {
+    String filePath =
+        "file:///data/data/com.android.contacts/shared_prefs/com.android.contacts.xml";
+
+    assertFalse(
+        ContactPhotoUtils.savePhotoFromUriToUri(getContext(), Uri.parse(filePath), tempUri, false));
+  }
+
+  public void testFileUriCanonicalDataPathFails() {
+    String filePath =
+        "file:///storage/../data/data/com.android.contacts/shared_prefs/com.android.contacts.xml";
+
+    assertFalse(
+        ContactPhotoUtils.savePhotoFromUriToUri(getContext(), Uri.parse(filePath), tempUri, false));
+  }
+
+  public void testContentUriInternalPasses() {
+    Uri internal = ContactPhotoUtils.generateTempImageUri(getContext());
+
+    assertTrue(
+        ContactPhotoUtils.savePhotoFromUriToUri(getContext(), internal, tempUri, true));
+  }
+}
author	Gary Mai <garymai@google.com>	2018-09-05 15:17:41 -0700
committer	Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>	2020-12-01 02:40:38 +0100
commit	b1bc0971a86f6455046f2f6143b231f8818822fe (patch)
tree	1edcfb3a0a19089f48ebeff146fac39ef90925b6
parent	1e2ad0157e708d06728ef575aa556c1e0455d278 (diff)
download	packages_apps_Contacts-replicant-6.0.tar.gz packages_apps_Contacts-replicant-6.0.tar.bz2 packages_apps_Contacts-replicant-6.0.zip