commit | 2826a2519fe3e0554cffc6be3608154ce990e741 | [log] [tgz] |
---|---|---|
author | Pranav Madapurmath <pmadapurmath@google.com> | Wed Apr 05 21:36:12 2023 +0000 |
committer | Prashantsinh Parmar <prashantsinh.parmar@fairphone.partners> | Thu Dec 14 12:40:50 2023 +0530 |
tree | b8f343b192e8301270c6990df78e17531f0904da | |
parent | 3e9080022cbc09e7ca7dd3d956e1fe7b591f08c3 [diff] |
Resolve account image icon profile boundary exploit. Because Telecom grants the INTERACT_ACROSS_USERS permission, an exploit is possible where the user can upload an image icon (belonging to another user) via registering a phone account. This CL provides a lightweight solution for parsing the image URI to detect profile exploitation. Fixes: 273502295 Fixes: 296915211 Test: Unit test to enforce successful/failure path (cherry picked from commit d0d1d38e37de54e58a7532a0020582fbd7d476b7) (cherry picked from commit e7d0ca3fe5be6e393f643f565792ea5e7ed05f48) (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:a604311f86ea8136ca2ac9f9ff0af7fa57ee3f42) Merged-In: I2b6418f019a373ee9f02ba8683e5b694e7ab80a5 Change-Id: I2b6418f019a373ee9f02ba8683e5b694e7ab80a5