commit 5981e18eb50c54088dc29f8a1e1dc8efdd4bb887
author Oli Lan <olilan@google.com> Fri Aug 26 18:33:53 2022 +0100
committer Oli Lan <olilan@google.com> Fri Aug 26 19:48:29 2022 +0100
tree c97f9ea82db3320099a7fb2746179631bc772b1e
parent 889b93dd4ec351889db69b528d81cdc3f63968fc

Prevent exfiltration of system files via avatar picker.

This adds mitigations to prevent system files being exfiltrated
via the settings content provider when a content URI is provided
as a chosen user image.

The mitigations are:

1) Copy the image to a new URI rather than the existing takePictureUri
prior to cropping.

2) Only allow a system handler to respond to the CROP intent.

This is a fixed version of ag/17004678, to address b/239513606.

Bug: 187702830
Test: build and check functionality
Change-Id: I07bb987b930b851a28871a13032b8fcfcd96d6d1

src/com/android/emergency/preferences/EditUserPhotoController.java

diff --git a/src/com/android/emergency/preferences/EditUserPhotoController.java b/src/com/android/emergency/preferences/EditUserPhotoController.java
index 6064ed8..8a8cc9e 100644
--- a/src/com/android/emergency/preferences/EditUserPhotoController.java
+++ b/src/com/android/emergency/preferences/EditUserPhotoController.java
@@ -22,7 +22,9 @@
 import android.content.ContentResolver;
 import android.content.Context;
 import android.content.Intent;
+import android.content.pm.ActivityInfo;
 import android.content.pm.PackageManager;
+import android.content.pm.ResolveInfo;
 import android.database.Cursor;
 import android.graphics.Bitmap;
 import android.graphics.Bitmap.Config;
@@ -74,6 +76,7 @@
     private static final int REQUEST_CODE_TAKE_PHOTO = 10002;
     private static final int REQUEST_CODE_CROP_PHOTO = 10003;
 
+    private static final String PRE_CROP_PICTURE_FILE_NAME = "PreCropEditUserPhoto.jpg";
     private static final String CROP_PICTURE_FILE_NAME = "CropEditUserPhoto.jpg";
     private static final String TAKE_PICTURE_FILE_NAME = "TakeEditUserPhoto2.jpg";
     private static final String NEW_USER_PHOTO_FILE_NAME = "NewUserPhoto.png";
@@ -86,6 +89,7 @@
     private final Fragment mFragment;
     private final ImageView mImageView;
 
+    private final Uri mPreCropPictureUri;
     private final Uri mCropPictureUri;
     private final Uri mTakePictureUri;
 
@@ -97,6 +101,7 @@
         mContext = view.getContext();
         mFragment = fragment;
         mImageView = view;
+        mPreCropPictureUri = createTempImageUri(mContext, PRE_CROP_PICTURE_FILE_NAME, !waiting);
         mCropPictureUri = createTempImageUri(mContext, CROP_PICTURE_FILE_NAME, !waiting);
         mTakePictureUri = createTempImageUri(mContext, TAKE_PICTURE_FILE_NAME, !waiting);
         mPhotoSize = getPhotoSize(mContext);
@@ -123,7 +128,7 @@
             case REQUEST_CODE_TAKE_PHOTO:
             case REQUEST_CODE_CHOOSE_PHOTO:
                 if (mTakePictureUri.equals(pictureUri)) {
-                    cropPhoto();
+                    cropPhoto(pictureUri);
                 } else {
                     copyAndCropPhoto(pictureUri);
                 }
@@ -232,7 +237,7 @@
             protected Void doInBackground(Void... params) {
                 final ContentResolver cr = mContext.getContentResolver();
                 try (InputStream in = cr.openInputStream(pictureUri);
-                        OutputStream out = cr.openOutputStream(mTakePictureUri)) {
+                        OutputStream out = cr.openOutputStream(mPreCropPictureUri)) {
                     Streams.copy(in, out);
                 } catch (IOException e) {
                     Log.w(TAG, "Failed to copy photo", e);
@@ -243,21 +248,32 @@
             @Override
             protected void onPostExecute(Void result) {
                 if (!mFragment.isAdded()) return;
-                cropPhoto();
+                cropPhoto(mPreCropPictureUri);
             }
         }.execute();
     }
 
-    private void cropPhoto() {
+    private void cropPhoto(final Uri pictureUri) {
         Intent intent = new Intent(ACTION_CROP);
-        intent.setDataAndType(mTakePictureUri, "image/*");
+        intent.setDataAndType(pictureUri, "image/*");
         appendOutputExtra(intent, mCropPictureUri);
         appendCropExtras(intent);
-        if (intent.resolveActivity(mContext.getPackageManager()) != null) {
-            mFragment.startActivityForResult(intent, REQUEST_CODE_CROP_PHOTO);
-        } else {
-            onPhotoCropped(mTakePictureUri, false);
+        if (startSystemActivityForResult(intent, REQUEST_CODE_CROP_PHOTO)) {
+            return;
         }
+        onPhotoCropped(mTakePictureUri, false);
+    }
+
+    private boolean startSystemActivityForResult(Intent intent, int code) {
+        List<ResolveInfo> resolveInfos = mContext.getPackageManager()
+                .queryIntentActivities(intent, PackageManager.MATCH_SYSTEM_ONLY);
+        if (resolveInfos.isEmpty()) {
+            Log.w(TAG, "No system package activity could be found for code " + code);
+            return false;
+        }
+        intent.setPackage(resolveInfos.get(0).activityInfo.packageName);
+        mFragment.startActivityForResult(intent, code);
+        return true;
     }
 
     private void appendOutputExtra(Intent intent, Uri pictureUri) {