Prevent exfiltration of system files via avatar picker.
This adds mitigations to prevent system files being exfiltrated
via the settings content provider when a content URI is provided
as a chosen user image.
The mitigations are:
1) Copy the image to a new URI rather than the existing takePictureUri
prior to cropping.
2) Only allow a system handler to respond to the CROP intent.
This is a fixed version of ag/17004678, to address b/239513606.
Bug: 187702830
Test: build and check functionality
Change-Id: I07bb987b930b851a28871a13032b8fcfcd96d6d1
diff --git a/src/com/android/emergency/preferences/EditUserPhotoController.java b/src/com/android/emergency/preferences/EditUserPhotoController.java
index 6064ed8..8a8cc9e 100644
--- a/src/com/android/emergency/preferences/EditUserPhotoController.java
+++ b/src/com/android/emergency/preferences/EditUserPhotoController.java
@@ -22,7 +22,9 @@
import android.content.ContentResolver;
import android.content.Context;
import android.content.Intent;
+import android.content.pm.ActivityInfo;
import android.content.pm.PackageManager;
+import android.content.pm.ResolveInfo;
import android.database.Cursor;
import android.graphics.Bitmap;
import android.graphics.Bitmap.Config;
@@ -74,6 +76,7 @@
private static final int REQUEST_CODE_TAKE_PHOTO = 10002;
private static final int REQUEST_CODE_CROP_PHOTO = 10003;
+ private static final String PRE_CROP_PICTURE_FILE_NAME = "PreCropEditUserPhoto.jpg";
private static final String CROP_PICTURE_FILE_NAME = "CropEditUserPhoto.jpg";
private static final String TAKE_PICTURE_FILE_NAME = "TakeEditUserPhoto2.jpg";
private static final String NEW_USER_PHOTO_FILE_NAME = "NewUserPhoto.png";
@@ -86,6 +89,7 @@
private final Fragment mFragment;
private final ImageView mImageView;
+ private final Uri mPreCropPictureUri;
private final Uri mCropPictureUri;
private final Uri mTakePictureUri;
@@ -97,6 +101,7 @@
mContext = view.getContext();
mFragment = fragment;
mImageView = view;
+ mPreCropPictureUri = createTempImageUri(mContext, PRE_CROP_PICTURE_FILE_NAME, !waiting);
mCropPictureUri = createTempImageUri(mContext, CROP_PICTURE_FILE_NAME, !waiting);
mTakePictureUri = createTempImageUri(mContext, TAKE_PICTURE_FILE_NAME, !waiting);
mPhotoSize = getPhotoSize(mContext);
@@ -123,7 +128,7 @@
case REQUEST_CODE_TAKE_PHOTO:
case REQUEST_CODE_CHOOSE_PHOTO:
if (mTakePictureUri.equals(pictureUri)) {
- cropPhoto();
+ cropPhoto(pictureUri);
} else {
copyAndCropPhoto(pictureUri);
}
@@ -232,7 +237,7 @@
protected Void doInBackground(Void... params) {
final ContentResolver cr = mContext.getContentResolver();
try (InputStream in = cr.openInputStream(pictureUri);
- OutputStream out = cr.openOutputStream(mTakePictureUri)) {
+ OutputStream out = cr.openOutputStream(mPreCropPictureUri)) {
Streams.copy(in, out);
} catch (IOException e) {
Log.w(TAG, "Failed to copy photo", e);
@@ -243,21 +248,32 @@
@Override
protected void onPostExecute(Void result) {
if (!mFragment.isAdded()) return;
- cropPhoto();
+ cropPhoto(mPreCropPictureUri);
}
}.execute();
}
- private void cropPhoto() {
+ private void cropPhoto(final Uri pictureUri) {
Intent intent = new Intent(ACTION_CROP);
- intent.setDataAndType(mTakePictureUri, "image/*");
+ intent.setDataAndType(pictureUri, "image/*");
appendOutputExtra(intent, mCropPictureUri);
appendCropExtras(intent);
- if (intent.resolveActivity(mContext.getPackageManager()) != null) {
- mFragment.startActivityForResult(intent, REQUEST_CODE_CROP_PHOTO);
- } else {
- onPhotoCropped(mTakePictureUri, false);
+ if (startSystemActivityForResult(intent, REQUEST_CODE_CROP_PHOTO)) {
+ return;
}
+ onPhotoCropped(mTakePictureUri, false);
+ }
+
+ private boolean startSystemActivityForResult(Intent intent, int code) {
+ List<ResolveInfo> resolveInfos = mContext.getPackageManager()
+ .queryIntentActivities(intent, PackageManager.MATCH_SYSTEM_ONLY);
+ if (resolveInfos.isEmpty()) {
+ Log.w(TAG, "No system package activity could be found for code " + code);
+ return false;
+ }
+ intent.setPackage(resolveInfos.get(0).activityInfo.packageName);
+ mFragment.startActivityForResult(intent, code);
+ return true;
}
private void appendOutputExtra(Intent intent, Uri pictureUri) {