[automerge] Prevent exfiltration of system files via avatar picker. 2p: 1b48ca6b7f (fd3945a3) · Commits · e / os / android_frameworks_base

packages/SettingsLib/src/com/android/settingslib/users/EditUserPhotoController.java

+31 −13

Original line number	Original line	Diff line number	Diff line
	@@ -21,6 +21,8 @@ import android.content.ClipData;
	import android.content.ContentResolver;		import android.content.ContentResolver;
	import android.content.Context;		import android.content.Context;
	import android.content.Intent;		import android.content.Intent;
			import android.content.pm.PackageManager;
			import android.content.pm.ResolveInfo;
	import android.database.Cursor;		import android.database.Cursor;
	import android.graphics.Bitmap;		import android.graphics.Bitmap;
	import android.graphics.Bitmap.Config;		import android.graphics.Bitmap.Config;
	@@ -83,6 +85,7 @@ public class EditUserPhotoController {
	private static final int DEFAULT_PHOTO_SIZE = 500;		private static final int DEFAULT_PHOTO_SIZE = 500;

	private static final String IMAGES_DIR = "multi_user";		private static final String IMAGES_DIR = "multi_user";
			private static final String PRE_CROP_PICTURE_FILE_NAME = "PreCropEditUserPhoto.jpg";
	private static final String CROP_PICTURE_FILE_NAME = "CropEditUserPhoto.jpg";		private static final String CROP_PICTURE_FILE_NAME = "CropEditUserPhoto.jpg";
	private static final String TAKE_PICTURE_FILE_NAME = "TakeEditUserPhoto.jpg";		private static final String TAKE_PICTURE_FILE_NAME = "TakeEditUserPhoto.jpg";
	private static final String NEW_USER_PHOTO_FILE_NAME = "NewUserPhoto.png";		private static final String NEW_USER_PHOTO_FILE_NAME = "NewUserPhoto.png";
	@@ -95,6 +98,7 @@ public class EditUserPhotoController {
	private final String mFileAuthority;		private final String mFileAuthority;

	private final File mImagesDir;		private final File mImagesDir;
			private final Uri mPreCropPictureUri;
	private final Uri mCropPictureUri;		private final Uri mCropPictureUri;
	private final Uri mTakePictureUri;		private final Uri mTakePictureUri;

	@@ -110,6 +114,7 @@ public class EditUserPhotoController {

	mImagesDir = new File(activity.getCacheDir(), IMAGES_DIR);		mImagesDir = new File(activity.getCacheDir(), IMAGES_DIR);
	mImagesDir.mkdir();		mImagesDir.mkdir();
			mPreCropPictureUri = createTempImageUri(activity, PRE_CROP_PICTURE_FILE_NAME, !waiting);
	mCropPictureUri = createTempImageUri(activity, CROP_PICTURE_FILE_NAME, !waiting);		mCropPictureUri = createTempImageUri(activity, CROP_PICTURE_FILE_NAME, !waiting);
	mTakePictureUri = createTempImageUri(activity, TAKE_PICTURE_FILE_NAME, !waiting);		mTakePictureUri = createTempImageUri(activity, TAKE_PICTURE_FILE_NAME, !waiting);
	mPhotoSize = getPhotoSize(activity);		mPhotoSize = getPhotoSize(activity);
	@@ -143,7 +148,7 @@ public class EditUserPhotoController {
	case REQUEST_CODE_CHOOSE_PHOTO:		case REQUEST_CODE_CHOOSE_PHOTO:
	if (mTakePictureUri.equals(pictureUri)) {		if (mTakePictureUri.equals(pictureUri)) {
	if (PhotoCapabilityUtils.canCropPhoto(mActivity)) {		if (PhotoCapabilityUtils.canCropPhoto(mActivity)) {
	cropPhoto();		cropPhoto(pictureUri);
	} else {		} else {
	onPhotoNotCropped(pictureUri);		onPhotoNotCropped(pictureUri);
	}		}
	@@ -224,7 +229,7 @@ public class EditUserPhotoController {
	protected Void doInBackground(Void... params) {		protected Void doInBackground(Void... params) {
	final ContentResolver cr = mActivity.getContentResolver();		final ContentResolver cr = mActivity.getContentResolver();
	try (InputStream in = cr.openInputStream(pictureUri);		try (InputStream in = cr.openInputStream(pictureUri);
	OutputStream out = cr.openOutputStream(mTakePictureUri)) {		OutputStream out = cr.openOutputStream(mPreCropPictureUri)) {
	Streams.copy(in, out);		Streams.copy(in, out);
	} catch (IOException e) {		} catch (IOException e) {
	Log.w(TAG, "Failed to copy photo", e);		Log.w(TAG, "Failed to copy photo", e);
	@@ -235,28 +240,41 @@ public class EditUserPhotoController {
	@Override		@Override
	protected void onPostExecute(Void result) {		protected void onPostExecute(Void result) {
	if (!mActivity.isFinishing() && !mActivity.isDestroyed()) {		if (!mActivity.isFinishing() && !mActivity.isDestroyed()) {
	cropPhoto();		cropPhoto(mPreCropPictureUri);
	}		}
	}		}
	}.execute();		}.execute();
	}		}

	private void cropPhoto() {		private void cropPhoto(final Uri pictureUri) {
	// TODO: Use a public intent, when there is one.		// TODO: Use a public intent, when there is one.
	Intent intent = new Intent("com.android.camera.action.CROP");		Intent intent = new Intent("com.android.camera.action.CROP");
	intent.setDataAndType(mTakePictureUri, "image/*");		intent.setDataAndType(pictureUri, "image/*");
	appendOutputExtra(intent, mCropPictureUri);		appendOutputExtra(intent, mCropPictureUri);
	appendCropExtras(intent);		appendCropExtras(intent);
	if (intent.resolveActivity(mActivity.getPackageManager()) != null) {
	try {		try {
	StrictMode.disableDeathOnFileUriExposure();		StrictMode.disableDeathOnFileUriExposure();
	mActivityStarter.startActivityForResult(intent, REQUEST_CODE_CROP_PHOTO);		if (startSystemActivityForResult(intent, REQUEST_CODE_CROP_PHOTO)) {
			return;
			}
	} finally {		} finally {
	StrictMode.enableDeathOnFileUriExposure();		StrictMode.enableDeathOnFileUriExposure();
	}		}
	} else {
	onPhotoNotCropped(mTakePictureUri);		onPhotoNotCropped(mTakePictureUri);

	}		}

			private boolean startSystemActivityForResult(Intent intent, int code) {
			List<ResolveInfo> resolveInfos = mActivity.getPackageManager()
			.queryIntentActivities(intent, PackageManager.MATCH_SYSTEM_ONLY);
			if (resolveInfos.isEmpty()) {
			Log.w(TAG, "No system package activity could be found for code " + code);
			return false;
			}
			intent.setPackage(resolveInfos.get(0).activityInfo.packageName);
			mActivityStarter.startActivityForResult(intent, code);
			return true;
	}		}

	private void appendOutputExtra(Intent intent, Uri pictureUri) {		private void appendOutputExtra(Intent intent, Uri pictureUri) {