From ccfd94b965c1e9c2e0b239c12137c239c602070d Mon Sep 17 00:00:00 2001
From: Gary Mai <garymai@google.com>
Date: Wed, 5 Sep 2018 15:17:41 -0700
Subject: Patch URI vulnerability in contact photo editing

Don't allow reading of "file://" URIs that don't point to "/storage" during the
photo saving flow.

This is to prevent malicious apps from asking us to read our own private
files which we copy into a temporary "content://" URI that we give to a
cropping app (with permission to read).

Fixing here patches both PhotoSelectionHandler.java and
AttachPhotoActivity.java.

Tested:
Manual with the fake gallery app. Confirmed that selecting an "image"
with a URI of our own shared_pref file fails without reading it.
ContactPhotoUtilsTest

Bug: 113597344
Change-Id: Iabb4f8139cedb7d7b865d69a4b95a4997f64c71d
---
 .../contacts/util/ContactPhotoUtilsTest.java       | 49 ++++++++++++++++++++++
 1 file changed, 49 insertions(+)
 create mode 100644 tests/src/com/android/contacts/util/ContactPhotoUtilsTest.java

(limited to 'tests/src/com')

diff --git a/tests/src/com/android/contacts/util/ContactPhotoUtilsTest.java b/tests/src/com/android/contacts/util/ContactPhotoUtilsTest.java
new file mode 100644
index 000000000..d17b98c2d
--- /dev/null
+++ b/tests/src/com/android/contacts/util/ContactPhotoUtilsTest.java
@@ -0,0 +1,49 @@
+package com.android.contacts.util;
+
+import android.net.Uri;
+import android.test.AndroidTestCase;
+import android.test.suitebuilder.annotation.SmallTest;
+
+/**
+ * Test cases for {@link ContactPhotoUtils}.
+ *
+ * adb shell am instrument -w -e class com.android.contacts.util.ContactPhotoUtilsTest \
+ *   com.android.contacts.tests/android.test.InstrumentationTestRunner
+ */
+@SmallTest
+public class ContactPhotoUtilsTest extends AndroidTestCase {
+
+  private Uri tempUri;
+
+  @Override
+  protected void setUp() throws Exception {
+    tempUri = ContactPhotoUtils.generateTempImageUri(getContext());
+  }
+
+  protected void tearDown() throws Exception {
+    getContext().getContentResolver().delete(tempUri, null, null);
+  }
+
+  public void testFileUriDataPathFails() {
+    String filePath =
+        "file:///data/data/com.android.contacts/shared_prefs/com.android.contacts.xml";
+
+    assertFalse(
+        ContactPhotoUtils.savePhotoFromUriToUri(getContext(), Uri.parse(filePath), tempUri, false));
+  }
+
+  public void testFileUriCanonicalDataPathFails() {
+    String filePath =
+        "file:///storage/../data/data/com.android.contacts/shared_prefs/com.android.contacts.xml";
+
+    assertFalse(
+        ContactPhotoUtils.savePhotoFromUriToUri(getContext(), Uri.parse(filePath), tempUri, false));
+  }
+
+  public void testContentUriInternalPasses() {
+    Uri internal = ContactPhotoUtils.generateTempImageUri(getContext());
+
+    assertTrue(
+        ContactPhotoUtils.savePhotoFromUriToUri(getContext(), internal, tempUri, true));
+  }
+}
-- 
cgit v1.2.3