From 04ac2264e83f01e8b201579d05bbbe136a35a7d7 Mon Sep 17 00:00:00 2001
From: Daniel Gultsch <daniel@gultsch.de>
Date: Thu, 4 Oct 2018 17:17:18 +0200
Subject: [PATCH] Do weOwnFile security check only when attaching
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The general security check is recommend so a third party can not ask us to send an internal file. But we don’t need to do this for files we attach ourself from within Conversations
---
 .../conversations/ui/ConversationFragment.java    | 15 ++++++++++++++-
 src/main/res/values/strings.xml                   |  1 +
 2 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/src/main/java/eu/siacs/conversations/ui/ConversationFragment.java b/src/main/java/eu/siacs/conversations/ui/ConversationFragment.java
index d1a93d9e3..904ecf673 100644
--- a/src/main/java/eu/siacs/conversations/ui/ConversationFragment.java
+++ b/src/main/java/eu/siacs/conversations/ui/ConversationFragment.java
@@ -1988,7 +1988,8 @@ public class ConversationFragment extends XmppFragment implements EditMessage.Ke
         final boolean pm = extras.getBoolean(ConversationsActivity.EXTRA_IS_PRIVATE_MESSAGE, false);
         final List<Uri> uris = extractUris(extras);
         if (uris != null && uris.size() > 0) {
-            mediaPreviewAdapter.addMediaPreviews(Attachment.of(getActivity(), uris));
+            final List<Uri> cleanedUris = cleanUris(new ArrayList<>(uris));
+            mediaPreviewAdapter.addMediaPreviews(Attachment.of(getActivity(), cleanedUris));
             toggleInputMethod();
             return;
         }
@@ -2033,6 +2034,18 @@ public class ConversationFragment extends XmppFragment implements EditMessage.Ke
         }
     }
 
+    private List<Uri> cleanUris(List<Uri> uris) {
+        Iterator<Uri> iterator = uris.iterator();
+        while(iterator.hasNext()) {
+            final Uri uri = iterator.next();
+            if (FileBackend.weOwnFile(getActivity(), uri)) {
+                iterator.remove();
+                Toast.makeText(getActivity(), R.string.security_violation_not_attaching_file, Toast.LENGTH_SHORT).show();
+            }
+        }
+        return uris;
+    }
+
     private boolean showBlockSubmenu(View view) {
         final Jid jid = conversation.getJid();
         if (jid.getLocal() == null) {
diff --git a/src/main/res/values/strings.xml b/src/main/res/values/strings.xml
index a6923302f..fdcbf0752 100644
--- a/src/main/res/values/strings.xml
+++ b/src/main/res/values/strings.xml
@@ -738,4 +738,5 @@
     <string name="view_media">View media</string>
     <string name="media_browser">Media browser</string>
     <string name="export_channel_name">History export</string>
+    <string name="security_violation_not_attaching_file">File omitted due to security violation.</string>
 </resources>