Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 8b19ca47 authored by Gary Mai's avatar Gary Mai
Browse files

Address photo editing security bug 

Filter to only system apps that can handle cropping.
Otherwise, save the photo as is.

Bug: 195748381
Test: Manual test with the PoC. Verified only the system installed app
was able to crop the photo and no crop was offered when it was disabled

Change-Id: Id1527f589064aa278715afcb060647ec6841e6da
parent 024c62fa

src/com/android/contacts/activities/AttachPhotoActivity.java

+8 −5
Original line number Diff line number Diff line
@@ -197,7 +197,8 @@ public class AttachPhotoActivity extends ContactsActivity { 
            }

            ContactPhotoUtils.addPhotoPickerExtras(intent, mCroppedPhotoUri);

            ContactPhotoUtils.addCropExtras(intent, mPhotoDim != 0 ? mPhotoDim : mDefaultPhotoDim);

            if (!hasIntentHandler(intent)) {

            final ResolveInfo intentHandler = getIntentHandler(intent);

            if (intentHandler == null) {

                // No activity supports the crop action. So skip cropping and set the photo

                // without performing any cropping.

                mCroppedPhotoUri = mTempPhotoUri;
@@ -211,6 +212,7 @@ public class AttachPhotoActivity extends ContactsActivity { 
                return;

            }



            intent.setPackage(intentHandler.activityInfo.packageName);

            try {

                startActivityForResult(intent, REQUEST_CROP_PHOTO);

            } catch (ActivityNotFoundException ex) {
@@ -237,10 +239,11 @@ public class AttachPhotoActivity extends ContactsActivity { 
        }

    }



    private boolean hasIntentHandler(Intent intent) {

        final List<ResolveInfo> resolveInfo = getPackageManager()

                .queryIntentActivities(intent, PackageManager.MATCH_DEFAULT_ONLY);

        return resolveInfo != null && resolveInfo.size() > 0;

    private ResolveInfo getIntentHandler(Intent intent) {

        final List<ResolveInfo> resolveInfos = getPackageManager()

                .queryIntentActivities(intent,

                        PackageManager.MATCH_DEFAULT_ONLY | PackageManager.MATCH_SYSTEM_ONLY);

        return (resolveInfos != null && resolveInfos.size() > 0) ? resolveInfos.get(0) : null;

    }



    // TODO: consider moving this to ContactLoader, especially if we keep adding similar

src/com/android/contacts/detail/PhotoSelectionHandler.java

+8 −5
Original line number Diff line number Diff line
@@ -242,7 +242,8 @@ public abstract class PhotoSelectionHandler implements OnClickListener { 
     */

    private void doCropPhoto(Uri inputUri, Uri outputUri) {

        final Intent intent = getCropImageIntent(inputUri, outputUri);

        if (!hasIntentHandler(intent)) {

        final ResolveInfo intentHandler = getIntentHandler(intent);

        if (intentHandler == null) {

            try {

                getListener().onPhotoSelected(inputUri);

            } catch (FileNotFoundException e) {
@@ -252,6 +253,7 @@ public abstract class PhotoSelectionHandler implements OnClickListener { 
            }

            return;

        }

        intent.setPackage(intentHandler.activityInfo.packageName);

        try {

            // Launch gallery to crop the photo

            startPhotoActivity(intent, REQUEST_CROP_PHOTO, inputUri);
@@ -322,10 +324,11 @@ public abstract class PhotoSelectionHandler implements OnClickListener { 
        return intent;

    }



    private boolean hasIntentHandler(Intent intent) {

        final List<ResolveInfo> resolveInfo = mContext.getPackageManager()

                .queryIntentActivities(intent, PackageManager.MATCH_DEFAULT_ONLY);

        return resolveInfo != null && resolveInfo.size() > 0;

    private ResolveInfo getIntentHandler(Intent intent) {

        final List<ResolveInfo> resolveInfos = mContext.getPackageManager()

                .queryIntentActivities(intent,

                        PackageManager.MATCH_DEFAULT_ONLY | PackageManager.MATCH_SYSTEM_ONLY);

        return (resolveInfos != null && resolveInfos.size() > 0) ? resolveInfos.get(0) : null;

    }



    /**