Fix for SAF loophole in the lastAccessedStack.

When loading the last accessed stack, the code did not check if the file path (uri) should be blocked, thereby allowing an attacker to bypass the scoped storage restriction put on initial uri. This change adds the check when loading last accessed stack. Bug: 352294617 Test: Manual as per http://b/352294617#comment4 Flag: EXEMPT bugfix Change-Id: I4de8bad7174273c9390da978e186ad6a85f27be5
author: Aditya <adityasngh@google.com> 2025-01-02 09:53:16 +0000
committer: Aditya <adityasngh@google.com> 2025-01-02 09:53:16 +0000
commit: 30596588b508f1e5e97631470af479214898064a (patch)
tree: 93beb0d50cbdac70ca6ed25ea4e1479c2603e8c2
parent: 24f2aca35c31aad299965c96001fc78465523b51 (diff)
1 files changed, 3 insertions, 0 deletions
diff --git a/src/com/android/documentsui/picker/ActionHandler.java b/src/com/android/documentsui/picker/ActionHandler.java
index 4ea7bbc2d..553fa6986 100644
--- a/src/com/android/documentsui/picker/ActionHandler.java
+++ b/src/com/android/documentsui/picker/ActionHandler.java
@@ -272,6 +272,9 @@ class ActionHandler<T extends FragmentActivity & Addons> extends AbstractActionH
     private void onLastAccessedStackLoaded(@Nullable DocumentStack stack) {
         if (stack == null) {
             loadDefaultLocation();
+        } else if (shouldPreemptivelyRestrictRequestedInitialUri(stack.peek().getDocumentUri())) {
+            // If the last accessed stack has restricted uri, load default location
+            loadDefaultLocation();
         } else {
             mState.stack.reset(stack);
             mActivity.refreshCurrentRootAndDirectory(AnimationView.ANIM_NONE);
author	Aditya <adityasngh@google.com>	2025-01-02 09:53:16 +0000
committer	Aditya <adityasngh@google.com>	2025-01-02 09:53:16 +0000
commit	30596588b508f1e5e97631470af479214898064a (patch)
tree	93beb0d50cbdac70ca6ed25ea4e1479c2603e8c2
parent	24f2aca35c31aad299965c96001fc78465523b51 (diff)