Don't allow files under Chrome's data dir to be uploaded

Files under Chrome's data dir is private to Chrome. Other apps shouldn't be able to access it. So hard coded file path provided by another app should also not work. BUG=859349 Change-Id: I51bc25a278ff70dcfbaaab8bc8e52123063d9a0c Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1762916 Commit-Queue: Min Qin <qinmin@chromium.org> Reviewed-by: Peter Beverloo <peter@chromium.org> Cr-Commit-Position: refs/heads/master@{#689545}

Don't allow files under Chrome's data dir to be uploaded
Files under Chrome's data dir is private to Chrome. Other apps shouldn't be able to access it. So hard coded file path provided by another app should also not work. BUG=859349 Change-Id: I51bc25a278ff70dcfbaaab8bc8e52123063d9a0c Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1762916 Commit-Queue: Min Qin <qinmin@chromium.org> Reviewed-by: Peter Beverloo <peter@chromium.org> Cr-Commit-Position: refs/heads/master@{#689545}
70912634 · Min Qin · Commit Bot · b5456110 · 70912634
Commit 70912634 authored Aug 22, 2019 by Min Qin Committed by Commit Bot Aug 22, 2019
Hide whitespace changes
Inline Side-by-side

Showing with 8 additions and 2 deletions

ui/android/java/src/org/chromium/ui/base/SelectFileDialog.java ...droid/java/src/org/chromium/ui/base/SelectFileDialog.java +8 -2

No files found.
--- a/ui/android/java/src/org/chromium/ui/base/SelectFileDialog.java
+++ b/ui/android/java/src/org/chromium/ui/base/SelectFileDialog.java
@@ -22,6 +22,7 @@ import android.webkit.MimeTypeMap;
 import org.chromium.base.ContentUriUtils;
 import org.chromium.base.ContextUtils;
 import org.chromium.base.Log;
+import org.chromium.base.PathUtils;
 import org.chromium.base.ThreadUtils;
 import org.chromium.base.VisibleForTesting;
 import org.chromium.base.annotations.CalledByNative;
@@ -544,8 +545,13 @@ public class SelectFileDialog implements WindowAndroid.IntentCallback, PhotoPick
        }

        if (ContentResolver.SCHEME_FILE.equals(results.getData().getScheme())) {
-            onFileSelected(mNativeSelectFileDialog, results.getData().getSchemeSpecificPart(), "");
-            return;
+            String filePath = results.getData().getPath();
+            // Don't allow files under private data dir to be uploaded.
+            if (!TextUtils.isEmpty(filePath)
+                    && !filePath.startsWith(PathUtils.getDataDirectory())) {
+                onFileSelected(mNativeSelectFileDialog, filePath, "");
+                return;
+            }
        }

        if (ContentResolver.SCHEME_CONTENT.equals(results.getScheme())) {