mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2024-12-23 22:49:28 -05:00
124 lines
5.5 KiB
Diff
124 lines
5.5 KiB
Diff
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||
|
From: Oli Lan <olilan@google.com>
|
||
|
Date: Fri, 26 Aug 2022 18:33:53 +0100
|
||
|
Subject: [PATCH] Prevent exfiltration of system files via avatar picker.
|
||
|
|
||
|
This adds mitigations to prevent system files being exfiltrated
|
||
|
via the settings content provider when a content URI is provided
|
||
|
as a chosen user image.
|
||
|
|
||
|
The mitigations are:
|
||
|
|
||
|
1) Copy the image to a new URI rather than the existing takePictureUri
|
||
|
prior to cropping.
|
||
|
|
||
|
2) Only allow a system handler to respond to the CROP intent.
|
||
|
|
||
|
This is a fixed version of ag/17004678, to address b/239513606.
|
||
|
|
||
|
Bug: 187702830
|
||
|
Test: build and check functionality
|
||
|
Change-Id: I07bb987b930b851a28871a13032b8fcfcd96d6d1
|
||
|
(cherry picked from commit 5981e18eb50c54088dc29f8a1e1dc8efdd4bb887)
|
||
|
Merged-In: I07bb987b930b851a28871a13032b8fcfcd96d6d1
|
||
|
---
|
||
|
.../preferences/EditUserPhotoController.java | 34 ++++++++++++++-----
|
||
|
1 file changed, 25 insertions(+), 9 deletions(-)
|
||
|
|
||
|
diff --git a/src/com/android/emergency/preferences/EditUserPhotoController.java b/src/com/android/emergency/preferences/EditUserPhotoController.java
|
||
|
index 77bed01..7265187 100644
|
||
|
--- a/src/com/android/emergency/preferences/EditUserPhotoController.java
|
||
|
+++ b/src/com/android/emergency/preferences/EditUserPhotoController.java
|
||
|
@@ -22,7 +22,9 @@ import android.content.ClipData;
|
||
|
import android.content.ContentResolver;
|
||
|
import android.content.Context;
|
||
|
import android.content.Intent;
|
||
|
+import android.content.pm.ActivityInfo;
|
||
|
import android.content.pm.PackageManager;
|
||
|
+import android.content.pm.ResolveInfo;
|
||
|
import android.database.Cursor;
|
||
|
import android.graphics.Bitmap;
|
||
|
import android.graphics.Bitmap.Config;
|
||
|
@@ -73,6 +75,7 @@ public class EditUserPhotoController {
|
||
|
private static final int REQUEST_CODE_TAKE_PHOTO = 10002;
|
||
|
private static final int REQUEST_CODE_CROP_PHOTO = 10003;
|
||
|
|
||
|
+ private static final String PRE_CROP_PICTURE_FILE_NAME = "PreCropEditUserPhoto.jpg";
|
||
|
private static final String CROP_PICTURE_FILE_NAME = "CropEditUserPhoto.jpg";
|
||
|
private static final String TAKE_PICTURE_FILE_NAME = "TakeEditUserPhoto2.jpg";
|
||
|
private static final String NEW_USER_PHOTO_FILE_NAME = "NewUserPhoto.png";
|
||
|
@@ -85,6 +88,7 @@ public class EditUserPhotoController {
|
||
|
private final Fragment mFragment;
|
||
|
private final ImageView mImageView;
|
||
|
|
||
|
+ private final Uri mPreCropPictureUri;
|
||
|
private final Uri mCropPictureUri;
|
||
|
private final Uri mTakePictureUri;
|
||
|
|
||
|
@@ -96,6 +100,7 @@ public class EditUserPhotoController {
|
||
|
mContext = view.getContext();
|
||
|
mFragment = fragment;
|
||
|
mImageView = view;
|
||
|
+ mPreCropPictureUri = createTempImageUri(mContext, PRE_CROP_PICTURE_FILE_NAME, !waiting);
|
||
|
mCropPictureUri = createTempImageUri(mContext, CROP_PICTURE_FILE_NAME, !waiting);
|
||
|
mTakePictureUri = createTempImageUri(mContext, TAKE_PICTURE_FILE_NAME, !waiting);
|
||
|
mPhotoSize = getPhotoSize(mContext);
|
||
|
@@ -122,7 +127,7 @@ public class EditUserPhotoController {
|
||
|
case REQUEST_CODE_TAKE_PHOTO:
|
||
|
case REQUEST_CODE_CHOOSE_PHOTO:
|
||
|
if (mTakePictureUri.equals(pictureUri)) {
|
||
|
- cropPhoto();
|
||
|
+ cropPhoto(pictureUri);
|
||
|
} else {
|
||
|
copyAndCropPhoto(pictureUri);
|
||
|
}
|
||
|
@@ -231,7 +236,7 @@ public class EditUserPhotoController {
|
||
|
protected Void doInBackground(Void... params) {
|
||
|
final ContentResolver cr = mContext.getContentResolver();
|
||
|
try (InputStream in = cr.openInputStream(pictureUri);
|
||
|
- OutputStream out = cr.openOutputStream(mTakePictureUri)) {
|
||
|
+ OutputStream out = cr.openOutputStream(mPreCropPictureUri)) {
|
||
|
Streams.copy(in, out);
|
||
|
} catch (IOException e) {
|
||
|
Log.w(TAG, "Failed to copy photo", e);
|
||
|
@@ -242,21 +247,32 @@ public class EditUserPhotoController {
|
||
|
@Override
|
||
|
protected void onPostExecute(Void result) {
|
||
|
if (!mFragment.isAdded()) return;
|
||
|
- cropPhoto();
|
||
|
+ cropPhoto(mPreCropPictureUri);
|
||
|
}
|
||
|
}.execute();
|
||
|
}
|
||
|
|
||
|
- private void cropPhoto() {
|
||
|
+ private void cropPhoto(final Uri pictureUri) {
|
||
|
Intent intent = new Intent(ACTION_CROP);
|
||
|
- intent.setDataAndType(mTakePictureUri, "image/*");
|
||
|
+ intent.setDataAndType(pictureUri, "image/*");
|
||
|
appendOutputExtra(intent, mCropPictureUri);
|
||
|
appendCropExtras(intent);
|
||
|
- if (intent.resolveActivity(mContext.getPackageManager()) != null) {
|
||
|
- mFragment.startActivityForResult(intent, REQUEST_CODE_CROP_PHOTO);
|
||
|
- } else {
|
||
|
- onPhotoCropped(mTakePictureUri, false);
|
||
|
+ if (startSystemActivityForResult(intent, REQUEST_CODE_CROP_PHOTO)) {
|
||
|
+ return;
|
||
|
+ }
|
||
|
+ onPhotoCropped(mTakePictureUri, false);
|
||
|
+ }
|
||
|
+
|
||
|
+ private boolean startSystemActivityForResult(Intent intent, int code) {
|
||
|
+ List<ResolveInfo> resolveInfos = mContext.getPackageManager()
|
||
|
+ .queryIntentActivities(intent, PackageManager.MATCH_SYSTEM_ONLY);
|
||
|
+ if (resolveInfos.isEmpty()) {
|
||
|
+ Log.w(TAG, "No system package activity could be found for code " + code);
|
||
|
+ return false;
|
||
|
}
|
||
|
+ intent.setPackage(resolveInfos.get(0).activityInfo.packageName);
|
||
|
+ mFragment.startActivityForResult(intent, code);
|
||
|
+ return true;
|
||
|
}
|
||
|
|
||
|
private void appendOutputExtra(Intent intent, Uri pictureUri) {
|