Fix exposing private messages files through attachments with a content URI. am: 0d5452146c am: f5c73b1923

Original change: https://googleplex-android-review.googlesource.com/c/platform/packages/apps/Messaging/+/23089831

Change-Id: Ida74ec2de652b8e4fcb874a111852f655ba64cfe
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
diff --git a/src/com/android/messaging/util/FileUtil.java b/src/com/android/messaging/util/FileUtil.java
index 71fbb4b..e7d86f2 100644
--- a/src/com/android/messaging/util/FileUtil.java
+++ b/src/com/android/messaging/util/FileUtil.java
@@ -20,6 +20,7 @@
 import android.content.Context;
 import android.net.Uri;
 import android.os.Environment;
+import android.os.ParcelFileDescriptor;
 import android.text.TextUtils;
 
 import com.android.messaging.Factory;
@@ -28,6 +29,8 @@
 
 import java.io.File;
 import java.io.IOException;
+import java.nio.file.Path;
+import java.nio.file.Paths;
 import java.text.SimpleDateFormat;
 import java.util.Date;
 import java.util.Locale;
@@ -121,6 +124,10 @@
     // We're told it's possible to create world readable hardlinks to other apps private data
     // so we ban all /data file uris.
     public static boolean isInPrivateDir(Uri uri) {
+        return isFileUriInPrivateDir(uri) || isContentUriInPrivateDir(uri);
+    }
+
+    private static boolean isFileUriInPrivateDir(Uri uri) {
         if (!UriUtil.isFileUri(uri)) {
             return false;
         }
@@ -128,6 +135,24 @@
         return FileUtil.isSameOrSubDirectory(Environment.getDataDirectory(), file);
     }
 
+    private static boolean isContentUriInPrivateDir(Uri uri) {
+        if (!uri.getScheme().equals(ContentResolver.SCHEME_CONTENT)) {
+            return false;
+        }
+        try {
+            Context context = Factory.get().getApplicationContext();
+            ParcelFileDescriptor pfd = context.getContentResolver().openFileDescriptor(uri, "r");
+            int fd = pfd.getFd();
+            // Use the file descriptor to find out the read file path through symbolic link.
+            Path fdPath = Paths.get("/proc/self/fd/" + fd);
+            Path filePath = java.nio.file.Files.readSymbolicLink(fdPath);
+            pfd.close();
+            return FileUtil.isSameOrSubDirectory(Environment.getDataDirectory(), filePath.toFile());
+        } catch (Exception e) {
+            return false;
+        }
+    }
+
     /**
      * Checks, whether the child directory is the same as, or a sub-directory of the base
      * directory.