From 7cf9ad5fee4b6315ef1d53b4f072e30c6be5c55b Mon Sep 17 00:00:00 2001
From: Christian Schneppe <christian@pix-art.de>
Date: Thu, 4 Oct 2018 20:17:58 +0200
Subject: Do weOwnFile security check only when attaching
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The general security check is recommend so a third party can not ask us to send an internal file. But we don’t need to do this for files we attach ourself from within the app
---
 .../java/de/pixart/messenger/ui/ConversationFragment.java | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

(limited to 'src/main/java/de/pixart/messenger/ui')

diff --git a/src/main/java/de/pixart/messenger/ui/ConversationFragment.java b/src/main/java/de/pixart/messenger/ui/ConversationFragment.java
index 215c7d39c..eddf5abdc 100644
--- a/src/main/java/de/pixart/messenger/ui/ConversationFragment.java
+++ b/src/main/java/de/pixart/messenger/ui/ConversationFragment.java
@@ -2245,7 +2245,8 @@ public class ConversationFragment extends XmppFragment implements EditMessage.Ke
         final boolean pm = extras.getBoolean(ConversationsActivity.EXTRA_IS_PRIVATE_MESSAGE, false);
         final List<Uri> uris = extractUris(extras);
         if (uris != null && uris.size() > 0) {
-            mediaPreviewAdapter.addMediaPreviews(Attachment.of(getActivity(), uris));
+            final List<Uri> cleanedUris = cleanUris(new ArrayList<>(uris));
+            mediaPreviewAdapter.addMediaPreviews(Attachment.of(getActivity(), cleanedUris));
             toggleInputMethod();
             return;
         }
@@ -2290,6 +2291,18 @@ public class ConversationFragment extends XmppFragment implements EditMessage.Ke
         }
     }
 
+    private List<Uri> cleanUris(List<Uri> uris) {
+        Iterator<Uri> iterator = uris.iterator();
+        while (iterator.hasNext()) {
+            final Uri uri = iterator.next();
+            if (FileBackend.weOwnFile(getActivity(), uri)) {
+                iterator.remove();
+                Toast.makeText(getActivity(), R.string.security_violation_not_attaching_file, Toast.LENGTH_SHORT).show();
+            }
+        }
+        return uris;
+    }
+
     private boolean showBlockSubmenu(View view) {
         final Jid jid = conversation.getJid();
         if (jid.getLocal() == null) {
-- 
cgit v1.2.3