Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 9d1d56c9 authored by Anna Bauza's avatar Anna Bauza
Browse files

fix: Security Report - Reveal images across users via EditUserPhotoController 

Bug: 296915959
Test: atest AvatarPhotoControllerTest
Change-Id: Icc4f487265dcf9bb250c516926dee62cdeb6e9d2
parent 70daa102

packages/SettingsLib/src/com/android/settingslib/users/AvatarPhotoController.java

+8 −0
Original line number Diff line number Diff line
@@ -18,6 +18,7 @@ package com.android.settingslib.users; 


import android.app.Activity;

import android.content.ClipData;

import android.content.ContentProvider;

import android.content.ContentResolver;

import android.content.Context;

import android.content.Intent;
@@ -32,6 +33,7 @@ import android.graphics.RectF; 
import android.media.ExifInterface;

import android.net.Uri;

import android.os.StrictMode;

import android.os.UserHandle;

import android.provider.MediaStore;

import android.util.EventLog;

import android.util.Log;
@@ -132,6 +134,12 @@ class AvatarPhotoController { 
            return false;

        }



        final int currentUserId = UserHandle.myUserId();

        if (currentUserId != ContentProvider.getUserIdFromUri(pictureUri, currentUserId)) {

            Log.e(TAG, "Invalid pictureUri: " + pictureUri + " for user " + currentUserId);

            return false;

        }



        switch (requestCode) {

            case REQUEST_CODE_CROP_PHOTO:

                mAvatarUi.returnUriResult(pictureUri);

packages/SettingsLib/tests/integ/src/com/android/settingslib/users/AvatarPhotoControllerTest.java

+20 −0
Original line number Diff line number Diff line
@@ -31,11 +31,14 @@ import static org.mockito.Mockito.verify; 
import static org.mockito.Mockito.when;



import android.app.Activity;

import android.content.ContentProvider;

import android.content.ContentResolver;

import android.content.Context;

import android.content.Intent;

import android.graphics.Bitmap;

import android.graphics.BitmapFactory;

import android.net.Uri;

import android.os.UserHandle;

import android.provider.MediaStore;



import androidx.test.InstrumentationRegistry;
@@ -254,6 +257,23 @@ public class AvatarPhotoControllerTest { 
        assertThat(bitmap.getHeight()).isEqualTo(PHOTO_SIZE);

    }



    @Test

    public void onlyOwnerCanAccessUri() throws IOException {

        final Uri fileUri = Uri.parse(

                "content://12@com.android.settingslib.test/my_cache/multi_user/11/file.txt");

        // making sure onActivityResult is not returning false because of wrong Scheme

        assertThat(ContentResolver.SCHEME_CONTENT).isEqualTo(fileUri.getScheme());

        // making sure uri user is correct and different form executing user id

        assertThat(ContentProvider.getUserIdFromUri(fileUri)).isEqualTo(12);

        assertThat(UserHandle.myUserId()).isNotEqualTo(12);



        Intent intent = new Intent();

        intent.setData(fileUri);

        boolean result = mController.onActivityResult(

                REQUEST_CODE_TAKE_PHOTO, Activity.RESULT_OK, intent);

        assertThat(result).isFalse();

    }



    private Intent verifyStartActivityForResult(String action, int resultCode) {

        ArgumentCaptor<Intent> captor = ArgumentCaptor.forClass(Intent.class);

        verify(mMockAvatarUi, timeout(TIMEOUT_MILLIS))