fix: Use permission check for contact URI validation
Changed the validation logic in onActivityResult for contact data.
Instead of comparing user IDs, the code now verifies if the caller
has explicit read permission for the returned URI using
checkContentUriPermission.
This ensures proper access control based on granted permissions.
Throws SecurityException on denial for better error reporting.
Flag: EXEMPT security fix
Bug: 337784859
Test: manual - steps for manual test
1. sign into personal/test acct
2. create a pin for the personal acct
3. create a work profile via adb cmd
4. add pin for work profile
5. add a work profile contact
6. open PoC app
(cherry picked from commit 522822360789507788c90c9e37edb7f1095ae5ab)
Cherrypick-From: https://googleplex-android-review.googlesource.com/q/commit:a727dc2d556d7bddb66cb289b2658cc73dba789f
Merged-In: I858041662a19a179e1fd49b3747d0fc013625015
Change-Id: I858041662a19a179e1fd49b3747d0fc013625015
diff --git a/src/com/android/phone/settings/fdn/EditFdnContactScreen.java b/src/com/android/phone/settings/fdn/EditFdnContactScreen.java
index 6bed39a..ae6dd96 100644
--- a/src/com/android/phone/settings/fdn/EditFdnContactScreen.java
+++ b/src/com/android/phone/settings/fdn/EditFdnContactScreen.java
@@ -19,15 +19,15 @@
import static android.app.Activity.RESULT_OK;
-import android.content.ContentProvider;
+import android.app.ComponentCaller;
import android.content.ContentValues;
import android.content.Intent;
+import android.content.pm.PackageManager;
import android.content.res.Resources;
import android.database.Cursor;
import android.net.Uri;
import android.os.Bundle;
import android.os.PersistableBundle;
-import android.os.Process;
import android.os.UserHandle;
import android.provider.ContactsContract.CommonDataKinds;
import android.telephony.CarrierConfigManager;
@@ -38,6 +38,7 @@
import android.text.TextUtils;
import android.text.TextWatcher;
import android.text.method.DialerKeyListener;
+import android.util.EventLog;
import android.util.Log;
import android.view.Menu;
import android.view.MenuItem;
@@ -141,17 +142,30 @@
if (DBG) log("onActivityResult: cancelled.");
return;
}
+ ComponentCaller currentCaller = getCurrentCaller();
+ Uri contactUri = (intent != null) ? intent.getData() : null;
+ if (contactUri == null) {
+ Log.w(LOG_TAG, "onActivityResult: Intent data or contact URI is null.");
+ return;
+ }
+ if (currentCaller.checkContentUriPermission(
+ contactUri,
+ Intent.FLAG_GRANT_READ_URI_PERMISSION)
+ == PackageManager.PERMISSION_DENIED) {
+ EventLog.writeEvent(0x534e4554, "337784859", currentCaller.getUid(),
+ "Permission denied, cannot access contact");
+ throw new SecurityException(String.format(
+ "Permission denial: Caller (uid=%d, pkg=%s) lacks specific permission"
+ + " grant %s to access contact URI %s.",
+ currentCaller.getUid(),
+ currentCaller.getPackage(),
+ "FLAG_GRANT_READ_URI_PERMISSION",
+ contactUri
+ ));
+ }
Cursor cursor = null;
try {
- // check if the URI returned by the user belongs to the user
- final int currentUser = UserHandle.getUserId(Process.myUid());
- if (currentUser
- != ContentProvider.getUserIdFromUri(intent.getData(), currentUser)) {
- Log.w(LOG_TAG, "onActivityResult: Contact data of different user, "
- + "cannot access");
- return;
- }
- cursor = getContentResolver().query(intent.getData(),
+ cursor = getContentResolver().query(contactUri,
NUM_PROJECTION, null, null, null);
if ((cursor == null) || (!cursor.moveToFirst())) {
Log.w(LOG_TAG,"onActivityResult: bad contact data, no results found.");
