diff options
| author | Raman Tenneti <rtenneti@google.com> | 2022-01-05 12:04:39 -0800 |
|---|---|---|
| committer | Raman Tenneti <rtenneti@google.com> | 2022-01-05 12:04:39 -0800 |
| commit | 0acea168f86f938bc99d872a79558b46e4b61c39 (patch) | |
| tree | 62ccb7cbe9c53ce872506e8f13b738d1cf38c0ec | |
| parent | 8d60379fa3d8509fe3affca8e6e001d4f921e894 (diff) | |
| download | Gallery2-0acea168f86f938bc99d872a79558b46e4b61c39.tar.gz | |
AOSP/Gallery2 - Disable copying of arbitrary private file of Gallery2 into External Storage.
+ ContentResolver.SCHEME_FILE is a constant defined as "file". A malicious
app can use "File:" url to copy private files of Gallery2.
Fix is to lowercase the scheme before doing the comparison.
Fix: 201535427
Bug: 201535427
Test: manual
Change-Id: I40672a0745ac65549c539da73ebb5b1710fd2821
| -rw-r--r-- | src/com/android/gallery3d/data/UriImage.java | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/src/com/android/gallery3d/data/UriImage.java b/src/com/android/gallery3d/data/UriImage.java index b3fe1de03..0e5cd2a3f 100644 --- a/src/com/android/gallery3d/data/UriImage.java +++ b/src/com/android/gallery3d/data/UriImage.java @@ -37,6 +37,7 @@ import java.io.FileNotFoundException; import java.io.InputStream; import java.net.URI; import java.net.URL; +import java.util.Locale; public class UriImage extends MediaItem { private static final String TAG = "UriImage"; @@ -91,7 +92,7 @@ public class UriImage extends MediaItem { } private int openOrDownloadInner(JobContext jc) { - String scheme = mUri.getScheme(); + String scheme = mUri.getScheme().toLowerCase(Locale.ENGLISH); if (ContentResolver.SCHEME_CONTENT.equals(scheme) || ContentResolver.SCHEME_ANDROID_RESOURCE.equals(scheme) || ContentResolver.SCHEME_FILE.equals(scheme)) { |