Commit 25285605 authored Jan 23, 2025 by Aditya Singh Committed by Alexander Grund May 03, 2025

Fix for SAF loophole in the lastAccessedStack.

When loading the last accessed stack, the code did not check if the file
path (uri) should be blocked, thereby allowing an attacker to bypass the
scoped storage restriction put on initial uri.
This change adds the check when loading last accessed stack.

Bug: 352294617 
Test: Manual as per http://b/352294617#comment4
Flag: EXEMPT bugfix
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:1c8ce190df41eb77fdfce5830caec4b117ed0ddf)
Merged-In: I4de8bad7174273c9390da978e186ad6a85f27be5
Change-Id: I4de8bad7174273c9390da978e186ad6a85f27be5

parent d9dc96f2

src/com/android/documentsui/picker/ActionHandler.java

+3 −0

Original line number	Diff line number	Diff line
		@@ -188,6 +188,9 @@ class ActionHandler<T extends FragmentActivity & Addons> extends AbstractActionH
		private void onLastAccessedStackLoaded(@Nullable DocumentStack stack) {
		if (stack == null) {
		loadDefaultLocation();
		} else if (shouldPreemptivelyRestrictRequestedInitialUri(stack.peek().getDocumentUri())) {
		// If the last accessed stack has restricted uri, load default location
		loadDefaultLocation();
		} else {
		mState.stack.reset(stack);
		mActivity.refreshCurrentRootAndDirectory(AnimationView.ANIM_NONE);