diff options
author | Gary Mai <garymai@google.com> | 2018-09-05 15:17:41 -0700 |
---|---|---|
committer | Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org> | 2020-12-01 02:40:38 +0100 |
commit | b1bc0971a86f6455046f2f6143b231f8818822fe (patch) | |
tree | 1edcfb3a0a19089f48ebeff146fac39ef90925b6 | |
parent | 1e2ad0157e708d06728ef575aa556c1e0455d278 (diff) | |
download | packages_apps_Contacts-replicant-6.0.tar.gz packages_apps_Contacts-replicant-6.0.tar.bz2 packages_apps_Contacts-replicant-6.0.zip |
Patch URI vulnerability in contact photo editingreplicant-6.0-0004-transitionreplicant-6.0-0004-rc6replicant-6.0-0004-rc5-transitionreplicant-6.0-0004-rc5replicant-6.0-0004-rc4replicant-6.0-0004replicant-6.0
Don't allow reading of "file://" URIs that don't point to "/storage" during the
photo saving flow.
This is to prevent malicious apps from asking us to read our own private
files which we copy into a temporary "content://" URI that we give to a
cropping app (with permission to read).
Fixing here patches both PhotoSelectionHandler.java and
AttachPhotoActivity.java.
Tested:
Manual with the fake gallery app. Confirmed that selecting an "image"
with a URI of our own shared_pref file fails without reading it.
ContactPhotoUtilsTest
Bug: 113597344
Change-Id: Iabb4f8139cedb7d7b865d69a4b95a4997f64c71d
(cherry picked from commit ccfd94b965c1e9c2e0b239c12137c239c602070d)
CVE-2018-9587
-rw-r--r-- | src/com/android/contacts/util/ContactPhotoUtils.java | 21 | ||||
-rw-r--r-- | tests/src/com/android/contacts/util/ContactPhotoUtilsTest.java | 49 |
2 files changed, 67 insertions, 3 deletions
diff --git a/src/com/android/contacts/util/ContactPhotoUtils.java b/src/com/android/contacts/util/ContactPhotoUtils.java index 01f8267b6..c385cbd46 100644 --- a/src/com/android/contacts/util/ContactPhotoUtils.java +++ b/src/com/android/contacts/util/ContactPhotoUtils.java @@ -18,6 +18,7 @@ package com.android.contacts.util; import android.content.ClipData; +import android.content.ContentResolver; import android.content.Context; import android.content.Intent; import android.graphics.Bitmap; @@ -27,10 +28,8 @@ import android.os.Environment; import android.provider.MediaStore; import android.support.v4.content.FileProvider; import android.util.Log; - import com.android.contacts.R; import com.google.common.io.Closeables; - import java.io.ByteArrayOutputStream; import java.io.File; import java.io.FileNotFoundException; @@ -148,7 +147,7 @@ public class ContactPhotoUtils { */ public static boolean savePhotoFromUriToUri(Context context, Uri inputUri, Uri outputUri, boolean deleteAfterSave) { - if (inputUri == null || outputUri == null) { + if (inputUri == null || outputUri == null || isFilePathAndNotStorage(inputUri)) { return false; } FileOutputStream outputStream = null; @@ -179,4 +178,20 @@ public class ContactPhotoUtils { } return true; } + + /** + * Returns {@code true} if the {@code inputUri} is a FILE scheme and it does not point to + * the storage directory. + */ + private static boolean isFilePathAndNotStorage(Uri inputUri) { + if (ContentResolver.SCHEME_FILE.equals(inputUri.getScheme())) { + try { + File file = new File(inputUri.getPath()).getCanonicalFile(); + return !file.getCanonicalPath().startsWith("/storage/"); + } catch (IOException e) { + return false; + } + } + return false; + } } diff --git a/tests/src/com/android/contacts/util/ContactPhotoUtilsTest.java b/tests/src/com/android/contacts/util/ContactPhotoUtilsTest.java new file mode 100644 index 000000000..d17b98c2d --- /dev/null +++ b/tests/src/com/android/contacts/util/ContactPhotoUtilsTest.java @@ -0,0 +1,49 @@ +package com.android.contacts.util; + +import android.net.Uri; +import android.test.AndroidTestCase; +import android.test.suitebuilder.annotation.SmallTest; + +/** + * Test cases for {@link ContactPhotoUtils}. + * + * adb shell am instrument -w -e class com.android.contacts.util.ContactPhotoUtilsTest \ + * com.android.contacts.tests/android.test.InstrumentationTestRunner + */ +@SmallTest +public class ContactPhotoUtilsTest extends AndroidTestCase { + + private Uri tempUri; + + @Override + protected void setUp() throws Exception { + tempUri = ContactPhotoUtils.generateTempImageUri(getContext()); + } + + protected void tearDown() throws Exception { + getContext().getContentResolver().delete(tempUri, null, null); + } + + public void testFileUriDataPathFails() { + String filePath = + "file:///data/data/com.android.contacts/shared_prefs/com.android.contacts.xml"; + + assertFalse( + ContactPhotoUtils.savePhotoFromUriToUri(getContext(), Uri.parse(filePath), tempUri, false)); + } + + public void testFileUriCanonicalDataPathFails() { + String filePath = + "file:///storage/../data/data/com.android.contacts/shared_prefs/com.android.contacts.xml"; + + assertFalse( + ContactPhotoUtils.savePhotoFromUriToUri(getContext(), Uri.parse(filePath), tempUri, false)); + } + + public void testContentUriInternalPasses() { + Uri internal = ContactPhotoUtils.generateTempImageUri(getContext()); + + assertTrue( + ContactPhotoUtils.savePhotoFromUriToUri(getContext(), internal, tempUri, true)); + } +} |