commit | 5e124cf6b7016030c18061ae1086b18a1f3e4e28 | [log] [tgz] |
---|---|---|
author | Pranav Madapurmath <pmadapurmath@google.com> | Wed Apr 05 21:36:12 2023 +0000 |
committer | android-t1 <android-t1@t2mobile.com> | Tue Nov 28 14:37:52 2023 +0800 |
tree | 1af711ac138a2c39015c3bd2df4d463d711bb78b | |
parent | dd7d6589f6d48e0c42832c97765532851627f8a2 [diff] |
Resolve account image icon profile boundary exploit. Because Telecom grants the INTERACT_ACROSS_USERS permission, an exploit is possible where the user can upload an image icon (belonging to another user) via registering a phone account. This CL provides a lightweight solution for parsing the image URI to detect profile exploitation. Fixes: 273502295 Fixes: 296915211 Test: Unit test to enforce successful/failure path (cherry picked from commit d0d1d38e37de54e58a7532a0020582fbd7d476b7) (cherry picked from commit e7d0ca3fe5be6e393f643f565792ea5e7ed05f48) (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:a604311f86ea8136ca2ac9f9ff0af7fa57ee3f42) Merged-In: I2b6418f019a373ee9f02ba8683e5b694e7ab80a5 Change-Id: I2b6418f019a373ee9f02ba8683e5b694e7ab80a5