Merge pull request #8433 from nextcloud/verifyLocalPath

prevent upload from sensitive path
nextcloud · May 20, 2021 · 8af3112 · 8af3112
2 parents b25eef9 + 97d6f29
commit 8af3112
Showing 1 changed file with 7 additions and 0 deletions.
diff --git a/src/main/java/com/owncloud/android/files/services/FileUploader.java b/src/main/java/com/owncloud/android/files/services/FileUploader.java
@@ -29,6 +29,7 @@
 import android.accounts.Account;
 import android.accounts.AccountManager;
 import android.accounts.OnAccountsUpdateListener;
+import android.annotation.SuppressLint;
 import android.app.Notification;
 import android.app.NotificationManager;
 import android.app.PendingIntent;
@@ -449,6 +450,7 @@ private Integer gatherAndStartNewUploads(
     /**
      * Start a new {@link UploadFileOperation}.
      */
+    @SuppressLint("SdCardPath")
     private void startNewUpload(
         User user,
         List<String> requestedUploads,
@@ -461,6 +463,11 @@ private void startNewUpload(
         OCFile file,
         boolean disableRetries
                                ) {
+        if (file.getStoragePath().startsWith("/data/data/")) {
+            Log_OC.d(TAG, "Upload from sensitive path is not allowed");
+            return;
+        }
+
         OCUpload ocUpload = new OCUpload(file, user.toPlatformAccount());
         ocUpload.setFileSize(file.getFileLength());
         ocUpload.setNameCollisionPolicy(nameCollisionPolicy);