Do weOwnFile security check only when attaching

The general security check is recommend so a third party can not ask us to send an internal file. But we don’t need to do this for files we attach ourself from within Conversations
This commit is contained in:
Daniel Gultsch 2018-10-04 17:17:18 +02:00
parent 657b1cae9d
commit 04ac2264e8
2 changed files with 15 additions and 1 deletions

View file

@ -1988,7 +1988,8 @@ public class ConversationFragment extends XmppFragment implements EditMessage.Ke
final boolean pm = extras.getBoolean(ConversationsActivity.EXTRA_IS_PRIVATE_MESSAGE, false); final boolean pm = extras.getBoolean(ConversationsActivity.EXTRA_IS_PRIVATE_MESSAGE, false);
final List<Uri> uris = extractUris(extras); final List<Uri> uris = extractUris(extras);
if (uris != null && uris.size() > 0) { if (uris != null && uris.size() > 0) {
mediaPreviewAdapter.addMediaPreviews(Attachment.of(getActivity(), uris)); final List<Uri> cleanedUris = cleanUris(new ArrayList<>(uris));
mediaPreviewAdapter.addMediaPreviews(Attachment.of(getActivity(), cleanedUris));
toggleInputMethod(); toggleInputMethod();
return; return;
} }
@ -2033,6 +2034,18 @@ public class ConversationFragment extends XmppFragment implements EditMessage.Ke
} }
} }
private List<Uri> cleanUris(List<Uri> uris) {
Iterator<Uri> iterator = uris.iterator();
while(iterator.hasNext()) {
final Uri uri = iterator.next();
if (FileBackend.weOwnFile(getActivity(), uri)) {
iterator.remove();
Toast.makeText(getActivity(), R.string.security_violation_not_attaching_file, Toast.LENGTH_SHORT).show();
}
}
return uris;
}
private boolean showBlockSubmenu(View view) { private boolean showBlockSubmenu(View view) {
final Jid jid = conversation.getJid(); final Jid jid = conversation.getJid();
if (jid.getLocal() == null) { if (jid.getLocal() == null) {

View file

@ -738,4 +738,5 @@
<string name="view_media">View media</string> <string name="view_media">View media</string>
<string name="media_browser">Media browser</string> <string name="media_browser">Media browser</string>
<string name="export_channel_name">History export</string> <string name="export_channel_name">History export</string>
<string name="security_violation_not_attaching_file">File omitted due to security violation.</string>
</resources> </resources>