aboutsummaryrefslogtreecommitdiffstats
path: root/src/main
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--src/main/java/eu/siacs/conversations/persistance/FileBackend.java26
-rw-r--r--src/main/java/eu/siacs/conversations/services/XmppConnectionService.java4
-rw-r--r--src/main/java/eu/siacs/conversations/ui/PublishProfilePictureActivity.java4
3 files changed, 25 insertions, 9 deletions
diff --git a/src/main/java/eu/siacs/conversations/persistance/FileBackend.java b/src/main/java/eu/siacs/conversations/persistance/FileBackend.java
index 0d770fef..30609214 100644
--- a/src/main/java/eu/siacs/conversations/persistance/FileBackend.java
+++ b/src/main/java/eu/siacs/conversations/persistance/FileBackend.java
@@ -693,13 +693,29 @@ public class FileBackend {
}
- public static boolean weOwnFile(Uri uri) {
- if (Build.VERSION.SDK_INT < Build.VERSION_CODES.LOLLIPOP) {
+ public static boolean weOwnFile(Context context, Uri uri) {
+ if (uri == null || !ContentResolver.SCHEME_FILE.equals(uri.getScheme())) {
return false;
+ } else if (Build.VERSION.SDK_INT < Build.VERSION_CODES.LOLLIPOP) {
+ return fileIsInFilesDir(context, uri);
} else {
- return uri != null
- && ContentResolver.SCHEME_FILE.equals(uri.getScheme())
- && weOwnFileLollipop(uri);
+ return weOwnFileLollipop(uri);
+ }
+ }
+
+
+ /**
+ * This is more than hacky but probably way better than doing nothing
+ * Further 'optimizations' might contain to get the parents of CacheDir and NoBackupDir
+ * and check against those as well
+ */
+ private static boolean fileIsInFilesDir(Context context, Uri uri) {
+ try {
+ final String haystack = context.getFilesDir().getParentFile().getCanonicalPath();
+ final String needle = new File(uri.getPath()).getCanonicalPath();
+ return needle.startsWith(haystack);
+ } catch (IOException e) {
+ return false;
}
}
diff --git a/src/main/java/eu/siacs/conversations/services/XmppConnectionService.java b/src/main/java/eu/siacs/conversations/services/XmppConnectionService.java
index 0c4e5f62..61d78409 100644
--- a/src/main/java/eu/siacs/conversations/services/XmppConnectionService.java
+++ b/src/main/java/eu/siacs/conversations/services/XmppConnectionService.java
@@ -403,7 +403,7 @@ public class XmppConnectionService extends Service implements OnPhoneContactsLoa
public void attachFileToConversation(final Conversation conversation,
final Uri uri,
final UiCallback<Message> callback) {
- if (FileBackend.weOwnFile(uri)) {
+ if (FileBackend.weOwnFile(this, uri)) {
Log.d(Config.LOGTAG,"trying to attach file that belonged to us");
callback.error(R.string.security_error_invalid_file_access, null);
return;
@@ -446,7 +446,7 @@ public class XmppConnectionService extends Service implements OnPhoneContactsLoa
}
public void attachImageToConversation(final Conversation conversation, final Uri uri, final UiCallback<Message> callback) {
- if (FileBackend.weOwnFile(uri)) {
+ if (FileBackend.weOwnFile(this, uri)) {
Log.d(Config.LOGTAG,"trying to attach file that belonged to us");
callback.error(R.string.security_error_invalid_file_access, null);
return;
diff --git a/src/main/java/eu/siacs/conversations/ui/PublishProfilePictureActivity.java b/src/main/java/eu/siacs/conversations/ui/PublishProfilePictureActivity.java
index 27a3efe5..0752ae32 100644
--- a/src/main/java/eu/siacs/conversations/ui/PublishProfilePictureActivity.java
+++ b/src/main/java/eu/siacs/conversations/ui/PublishProfilePictureActivity.java
@@ -191,7 +191,7 @@ public class PublishProfilePictureActivity extends XmppActivity {
Uri source = data.getData();
switch (requestCode) {
case REQUEST_CHOOSE_FILE_AND_CROP:
- if (FileBackend.weOwnFile(source)) {
+ if (FileBackend.weOwnFile(this, source)) {
Toast.makeText(this,R.string.security_error_invalid_file_access,Toast.LENGTH_SHORT).show();
return;
}
@@ -204,7 +204,7 @@ public class PublishProfilePictureActivity extends XmppActivity {
Crop.of(source, destination).asSquare().withMaxSize(size, size).start(this);
break;
case REQUEST_CHOOSE_FILE:
- if (FileBackend.weOwnFile(source)) {
+ if (FileBackend.weOwnFile(this, source)) {
Toast.makeText(this,R.string.security_error_invalid_file_access,Toast.LENGTH_SHORT).show();
return;
}