Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Unverified Commit d86de890 authored by Raman Tenneti's avatar Raman Tenneti Committed by Michael Bestas
Browse files

AOSP/Gallery2 - Disable copying of arbitrary private file of Gallery2 into External Storage. 

+ ContentResolver.SCHEME_FILE is a constant defined as "file". A malicious
  app can use "File:" url to copy private files of Gallery2.

  Fix is to lowercase the scheme before doing the comparison.

Fix: 201535427
Bug: 201535427
Test: manual
Change-Id: I40672a0745ac65549c539da73ebb5b1710fd2821
(cherry picked from commit 0acea168f86f938bc99d872a79558b46e4b61c39)
parent 495f1c91

src/com/android/gallery3d/data/UriImage.java

+2 −1
Original line number Diff line number Diff line
@@ -38,6 +38,7 @@ import java.io.FileNotFoundException; 
import java.io.InputStream;

import java.net.URI;

import java.net.URL;

import java.util.Locale;



public class UriImage extends MediaItem {

    private static final String TAG = "UriImage";
@@ -94,7 +95,7 @@ public class UriImage extends MediaItem { 
    }



    private int openOrDownloadInner(JobContext jc) {

        String scheme = mUri.getScheme();

        String scheme = mUri.getScheme().toLowerCase(Locale.ENGLISH);

        if (ContentResolver.SCHEME_CONTENT.equals(scheme)

                || ContentResolver.SCHEME_ANDROID_RESOURCE.equals(scheme)

                || ContentResolver.SCHEME_FILE.equals(scheme)) {