From 594e65bb2b26d1c99b96c12558bf9d523e68269e Mon Sep 17 00:00:00 2001 From: Daniel Gultsch Date: Wed, 13 Apr 2016 11:14:36 +0200 Subject: hacky workaround to determine if uri points to private file on < lolipop --- .../conversations/persistance/FileBackend.java | 26 +++++++++++++++++----- .../services/XmppConnectionService.java | 4 ++-- .../ui/PublishProfilePictureActivity.java | 4 ++-- 3 files changed, 25 insertions(+), 9 deletions(-) diff --git a/src/main/java/eu/siacs/conversations/persistance/FileBackend.java b/src/main/java/eu/siacs/conversations/persistance/FileBackend.java index 0d770fef..30609214 100644 --- a/src/main/java/eu/siacs/conversations/persistance/FileBackend.java +++ b/src/main/java/eu/siacs/conversations/persistance/FileBackend.java @@ -693,13 +693,29 @@ public class FileBackend { } - public static boolean weOwnFile(Uri uri) { - if (Build.VERSION.SDK_INT < Build.VERSION_CODES.LOLLIPOP) { + public static boolean weOwnFile(Context context, Uri uri) { + if (uri == null || !ContentResolver.SCHEME_FILE.equals(uri.getScheme())) { return false; + } else if (Build.VERSION.SDK_INT < Build.VERSION_CODES.LOLLIPOP) { + return fileIsInFilesDir(context, uri); } else { - return uri != null - && ContentResolver.SCHEME_FILE.equals(uri.getScheme()) - && weOwnFileLollipop(uri); + return weOwnFileLollipop(uri); + } + } + + + /** + * This is more than hacky but probably way better than doing nothing + * Further 'optimizations' might contain to get the parents of CacheDir and NoBackupDir + * and check against those as well + */ + private static boolean fileIsInFilesDir(Context context, Uri uri) { + try { + final String haystack = context.getFilesDir().getParentFile().getCanonicalPath(); + final String needle = new File(uri.getPath()).getCanonicalPath(); + return needle.startsWith(haystack); + } catch (IOException e) { + return false; } } diff --git a/src/main/java/eu/siacs/conversations/services/XmppConnectionService.java b/src/main/java/eu/siacs/conversations/services/XmppConnectionService.java index 0c4e5f62..61d78409 100644 --- a/src/main/java/eu/siacs/conversations/services/XmppConnectionService.java +++ b/src/main/java/eu/siacs/conversations/services/XmppConnectionService.java @@ -403,7 +403,7 @@ public class XmppConnectionService extends Service implements OnPhoneContactsLoa public void attachFileToConversation(final Conversation conversation, final Uri uri, final UiCallback callback) { - if (FileBackend.weOwnFile(uri)) { + if (FileBackend.weOwnFile(this, uri)) { Log.d(Config.LOGTAG,"trying to attach file that belonged to us"); callback.error(R.string.security_error_invalid_file_access, null); return; @@ -446,7 +446,7 @@ public class XmppConnectionService extends Service implements OnPhoneContactsLoa } public void attachImageToConversation(final Conversation conversation, final Uri uri, final UiCallback callback) { - if (FileBackend.weOwnFile(uri)) { + if (FileBackend.weOwnFile(this, uri)) { Log.d(Config.LOGTAG,"trying to attach file that belonged to us"); callback.error(R.string.security_error_invalid_file_access, null); return; diff --git a/src/main/java/eu/siacs/conversations/ui/PublishProfilePictureActivity.java b/src/main/java/eu/siacs/conversations/ui/PublishProfilePictureActivity.java index 27a3efe5..0752ae32 100644 --- a/src/main/java/eu/siacs/conversations/ui/PublishProfilePictureActivity.java +++ b/src/main/java/eu/siacs/conversations/ui/PublishProfilePictureActivity.java @@ -191,7 +191,7 @@ public class PublishProfilePictureActivity extends XmppActivity { Uri source = data.getData(); switch (requestCode) { case REQUEST_CHOOSE_FILE_AND_CROP: - if (FileBackend.weOwnFile(source)) { + if (FileBackend.weOwnFile(this, source)) { Toast.makeText(this,R.string.security_error_invalid_file_access,Toast.LENGTH_SHORT).show(); return; } @@ -204,7 +204,7 @@ public class PublishProfilePictureActivity extends XmppActivity { Crop.of(source, destination).asSquare().withMaxSize(size, size).start(this); break; case REQUEST_CHOOSE_FILE: - if (FileBackend.weOwnFile(source)) { + if (FileBackend.weOwnFile(this, source)) { Toast.makeText(this,R.string.security_error_invalid_file_access,Toast.LENGTH_SHORT).show(); return; } -- cgit v1.2.3