From 30596588b508f1e5e97631470af479214898064a Mon Sep 17 00:00:00 2001
From: Aditya <adityasngh@google.com>
Date: Thu, 2 Jan 2025 09:53:16 +0000
Subject: Fix for SAF loophole in the lastAccessedStack.

When loading the last accessed stack, the code did not check if the file
path (uri) should be blocked, thereby allowing an attacker to bypass the
scoped storage restriction put on initial uri.
This change adds the check when loading last accessed stack.

Bug: 352294617
Test: Manual as per http://b/352294617#comment4
Flag: EXEMPT bugfix
Change-Id: I4de8bad7174273c9390da978e186ad6a85f27be5
---
 src/com/android/documentsui/picker/ActionHandler.java | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/com/android/documentsui/picker/ActionHandler.java b/src/com/android/documentsui/picker/ActionHandler.java
index 4ea7bbc2d..553fa6986 100644
--- a/src/com/android/documentsui/picker/ActionHandler.java
+++ b/src/com/android/documentsui/picker/ActionHandler.java
@@ -272,6 +272,9 @@ class ActionHandler<T extends FragmentActivity & Addons> extends AbstractActionH
     private void onLastAccessedStackLoaded(@Nullable DocumentStack stack) {
         if (stack == null) {
             loadDefaultLocation();
+        } else if (shouldPreemptivelyRestrictRequestedInitialUri(stack.peek().getDocumentUri())) {
+            // If the last accessed stack has restricted uri, load default location
+            loadDefaultLocation();
         } else {
             mState.stack.reset(stack);
             mActivity.refreshCurrentRootAndDirectory(AnimationView.ANIM_NONE);
-- 
cgit v1.2.3-59-g8ed1b