Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit fc6e9464 authored by Android Build Merger (Role)'s avatar Android Build Merger (Role)
Browse files

[automerger] Patch URI vulnerability in contact photo editing am: ccfd94b9 am: 2fc4d78b 

Change-Id: I38a0994d88f5cb38057e9eb17bbc786b03843b23
parents e7ff9a8d 2fc4d78b

src/com/android/contacts/util/ContactPhotoUtils.java

+18 −4
Original line number Diff line number Diff line
@@ -18,19 +18,17 @@ 
package com.android.contacts.util;



import android.content.ClipData;

import android.content.ContentResolver;

import android.content.Context;

import android.content.Intent;

import android.graphics.Bitmap;

import android.graphics.BitmapFactory;

import android.net.Uri;

import android.os.Environment;

import android.provider.MediaStore;

import android.support.v4.content.FileProvider;

import android.util.Log;



import com.android.contacts.R;

import com.google.common.io.Closeables;



import java.io.ByteArrayOutputStream;

import java.io.File;

import java.io.FileNotFoundException;
@@ -148,7 +146,7 @@ public class ContactPhotoUtils { 
     */

    public static boolean savePhotoFromUriToUri(Context context, Uri inputUri, Uri outputUri,

            boolean deleteAfterSave) {

        if (inputUri == null || outputUri == null) {

        if (inputUri == null || outputUri == null || isFilePathAndNotStorage(inputUri)) {

            return false;

        }

        try (FileOutputStream outputStream = context.getContentResolver()
@@ -173,4 +171,20 @@ public class ContactPhotoUtils { 
        }

        return true;

    }



    /**

     * Returns {@code true} if the {@code inputUri} is a FILE scheme and it does not point to

     * the storage directory.

     */

    private static boolean isFilePathAndNotStorage(Uri inputUri) {

        if (ContentResolver.SCHEME_FILE.equals(inputUri.getScheme())) {

            try {

                File file = new File(inputUri.getPath()).getCanonicalFile();

                return !file.getCanonicalPath().startsWith("/storage/");

            } catch (IOException e) {

                return false;

            }

        }

        return false;

    }

}

tests/src/com/android/contacts/util/ContactPhotoUtilsTest.java

0 → 100644
+49 −0
Original line number Diff line number Diff line 
package com.android.contacts.util;



import android.net.Uri;

import android.test.AndroidTestCase;

import android.test.suitebuilder.annotation.SmallTest;



/**

 * Test cases for {@link ContactPhotoUtils}.

 *

 * adb shell am instrument -w -e class com.android.contacts.util.ContactPhotoUtilsTest \

 *   com.android.contacts.tests/android.test.InstrumentationTestRunner

 */

@SmallTest

public class ContactPhotoUtilsTest extends AndroidTestCase {



  private Uri tempUri;



  @Override

  protected void setUp() throws Exception {

    tempUri = ContactPhotoUtils.generateTempImageUri(getContext());

  }



  protected void tearDown() throws Exception {

    getContext().getContentResolver().delete(tempUri, null, null);

  }



  public void testFileUriDataPathFails() {

    String filePath =

        "file:///data/data/com.android.contacts/shared_prefs/com.android.contacts.xml";



    assertFalse(

        ContactPhotoUtils.savePhotoFromUriToUri(getContext(), Uri.parse(filePath), tempUri, false));

  }



  public void testFileUriCanonicalDataPathFails() {

    String filePath =

        "file:///storage/../data/data/com.android.contacts/shared_prefs/com.android.contacts.xml";



    assertFalse(

        ContactPhotoUtils.savePhotoFromUriToUri(getContext(), Uri.parse(filePath), tempUri, false));

  }



  public void testContentUriInternalPasses() {

    Uri internal = ContactPhotoUtils.generateTempImageUri(getContext());



    assertTrue(

        ContactPhotoUtils.savePhotoFromUriToUri(getContext(), internal, tempUri, true));

  }

}