commit | 677428ef049d745a1aa4330d50b4b865d3980de6 | [log] [tgz] |
---|---|---|
author | Pranav Madapurmath <pmadapurmath@google.com> | Wed Apr 05 21:36:12 2023 +0000 |
committer | android-t1 <android-t1@t2mobile.com> | Wed Nov 29 10:31:38 2023 +0800 |
tree | 0ce8c56cd7fe2f45b7b4ab9c7355835c5b70d245 | |
parent | 59104a2e3076dca799477e76480d02c621118a44 [diff] |
Resolve account image icon profile boundary exploit. Because Telecom grants the INTERACT_ACROSS_USERS permission, an exploit is possible where the user can upload an image icon (belonging to another user) via registering a phone account. This CL provides a lightweight solution for parsing the image URI to detect profile exploitation. Fixes: 273502295 Fixes: 296915211 Test: Unit test to enforce successful/failure path (cherry picked from commit d0d1d38e37de54e58a7532a0020582fbd7d476b7) (cherry picked from commit e7d0ca3fe5be6e393f643f565792ea5e7ed05f48) (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:a604311f86ea8136ca2ac9f9ff0af7fa57ee3f42) Merged-In: I2b6418f019a373ee9f02ba8683e5b694e7ab80a5 Change-Id: I2b6418f019a373ee9f02ba8683e5b694e7ab80a5