commit | 68dca62035c49e14ad26a54f614199cb29a3393f | [log] [tgz] |
---|---|---|
author | Pranav Madapurmath <pmadapurmath@google.com> | Wed Apr 05 21:36:12 2023 +0000 |
committer | Android Build Coastguard Worker <android-build-coastguard-worker@google.com> | Wed Oct 11 22:51:05 2023 +0000 |
tree | 6644aeb29a3dde79c2eca384d13d4669e4621c43 | |
parent | f177186e464871f5ccfe74c37f3265769d0a2024 [diff] |
Resolve account image icon profile boundary exploit. Because Telecom grants the INTERACT_ACROSS_USERS permission, an exploit is possible where the user can upload an image icon (belonging to another user) via registering a phone account. This CL provides a lightweight solution for parsing the image URI to detect profile exploitation. Fixes: 273502295 Fixes: 296915211 Test: Unit test to enforce successful/failure path (cherry picked from commit d0d1d38e37de54e58a7532a0020582fbd7d476b7) (cherry picked from commit e7d0ca3fe5be6e393f643f565792ea5e7ed05f48) (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:a604311f86ea8136ca2ac9f9ff0af7fa57ee3f42) Merged-In: I2b6418f019a373ee9f02ba8683e5b694e7ab80a5 Change-Id: I2b6418f019a373ee9f02ba8683e5b694e7ab80a5