Address photo editing security bug am: 8b19ca4708

Original change: https://googleplex-android-review.googlesource.com/c/platform/packages/apps/Contacts/+/15840259

Change-Id: Ic9f124f170c1e418faa0394d8bdc47b532b949a4

2 files changed, 16 insertions, 10 deletions

diff --git a/src/com/android/contacts/activities/AttachPhotoActivity.java b/src/com/android/contacts/activities/AttachPhotoActivity.java
index b25c306c3..bfa25e6ba 100644
--- a/src/com/android/contacts/activities/AttachPhotoActivity.java
+++ b/src/com/android/contacts/activities/AttachPhotoActivity.java
@@ -197,7 +197,8 @@ public class AttachPhotoActivity extends ContactsActivity {
             }
             ContactPhotoUtils.addPhotoPickerExtras(intent, mCroppedPhotoUri);
             ContactPhotoUtils.addCropExtras(intent, mPhotoDim != 0 ? mPhotoDim : mDefaultPhotoDim);
-            if (!hasIntentHandler(intent)) {
+            final ResolveInfo intentHandler = getIntentHandler(intent);
+            if (intentHandler == null) {
                 // No activity supports the crop action. So skip cropping and set the photo
                 // without performing any cropping.
                 mCroppedPhotoUri = mTempPhotoUri;
@@ -211,6 +212,7 @@ public class AttachPhotoActivity extends ContactsActivity {
                 return;
             }
 
+            intent.setPackage(intentHandler.activityInfo.packageName);
             try {
                 startActivityForResult(intent, REQUEST_CROP_PHOTO);
             } catch (ActivityNotFoundException ex) {
@@ -237,10 +239,11 @@ public class AttachPhotoActivity extends ContactsActivity {
         }
     }
 
-    private boolean hasIntentHandler(Intent intent) {
-        final List<ResolveInfo> resolveInfo = getPackageManager()
-                .queryIntentActivities(intent, PackageManager.MATCH_DEFAULT_ONLY);
-        return resolveInfo != null && resolveInfo.size() > 0;
+    private ResolveInfo getIntentHandler(Intent intent) {
+        final List<ResolveInfo> resolveInfos = getPackageManager()
+                .queryIntentActivities(intent,
+                        PackageManager.MATCH_DEFAULT_ONLY | PackageManager.MATCH_SYSTEM_ONLY);
+        return (resolveInfos != null && resolveInfos.size() > 0) ? resolveInfos.get(0) : null;
     }
 
     // TODO: consider moving this to ContactLoader, especially if we keep adding similar
diff --git a/src/com/android/contacts/detail/PhotoSelectionHandler.java b/src/com/android/contacts/detail/PhotoSelectionHandler.java
index 053ee2216..1567116d4 100644
--- a/src/com/android/contacts/detail/PhotoSelectionHandler.java
+++ b/src/com/android/contacts/detail/PhotoSelectionHandler.java
@@ -242,7 +242,8 @@ public abstract class PhotoSelectionHandler implements OnClickListener {
      */
     private void doCropPhoto(Uri inputUri, Uri outputUri) {
         final Intent intent = getCropImageIntent(inputUri, outputUri);
-        if (!hasIntentHandler(intent)) {
+        final ResolveInfo intentHandler = getIntentHandler(intent);
+        if (intentHandler == null) {
             try {
                 getListener().onPhotoSelected(inputUri);
             } catch (FileNotFoundException e) {
@@ -252,6 +253,7 @@ public abstract class PhotoSelectionHandler implements OnClickListener {
             }
             return;
         }
+        intent.setPackage(intentHandler.activityInfo.packageName);
         try {
             // Launch gallery to crop the photo
             startPhotoActivity(intent, REQUEST_CROP_PHOTO, inputUri);
@@ -322,10 +324,11 @@ public abstract class PhotoSelectionHandler implements OnClickListener {
         return intent;
     }
 
-    private boolean hasIntentHandler(Intent intent) {
-        final List<ResolveInfo> resolveInfo = mContext.getPackageManager()
-                .queryIntentActivities(intent, PackageManager.MATCH_DEFAULT_ONLY);
-        return resolveInfo != null && resolveInfo.size() > 0;
+    private ResolveInfo getIntentHandler(Intent intent) {
+        final List<ResolveInfo> resolveInfos = mContext.getPackageManager()
+                .queryIntentActivities(intent,
+                        PackageManager.MATCH_DEFAULT_ONLY | PackageManager.MATCH_SYSTEM_ONLY);
+        return (resolveInfos != null && resolveInfos.size() > 0) ? resolveInfos.get(0) : null;
     }
 
     /**