search

CanHub / Android-Image-Cropper

Image Cropping Library for Android, optimised for Camera / Gallery.
Apache License 2.0
1.24k stars 254 forks source link

Unhandled SecurityException: Resolved path jumped beyond configured root #587

Closed EzequielAdrianM closed 2 months ago

EzequielAdrianM commented 1 year ago

Seems like some users with super user privilege are causing a crash on the library. Here is the stack trace:

Fatal Exception: java.lang.SecurityException: Resolved path jumped beyond configured root
       at androidx.core.content.FileProvider$SimplePathStrategy.getFileForUri(FileProvider.java:864)
       at androidx.core.content.FileProvider.openFile(FileProvider.java:630)
       at android.content.ContentProvider.openAssetFile(ContentProvider.java:2070)
       at android.content.ContentProvider.openAssetFile(ContentProvider.java:2131)
       at android.content.ContentProvider$Transport.openAssetFile(ContentProvider.java:496)
       at android.content.ContentResolver.openAssetFileDescriptor(ContentResolver.java:1860)
       at android.content.ContentResolver.openOutputStream(ContentResolver.java:1562)
       at com.canhub.cropper.BitmapUtils.writeBitmapToUri(BitmapUtils.kt:460)
       at com.canhub.cropper.BitmapCroppingWorkerJob$start$1$1.invokeSuspend(BitmapCroppingWorkerJob.kt:96)
       at kotlin.coroutines.jvm.internal.BaseContinuationImpl.resumeWith(ContinuationImpl.kt:33)
       at kotlinx.coroutines.DispatchedTask.run(DispatchedTask.kt:106)
       at kotlinx.coroutines.internal.LimitedDispatcher.run(LimitedDispatcher.kt:42)
       at kotlinx.coroutines.scheduling.TaskImpl.run(Tasks.kt:95)
       at kotlinx.coroutines.scheduling.CoroutineScheduler.runSafely(CoroutineScheduler.java:570)
       at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.executeTask(CoroutineScheduler.kt:750)
       at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.runWorker(CoroutineScheduler.kt:677)
       at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.run(CoroutineScheduler.kt:664)

Can we add some try/catch to the writeBitmapToUri (BitmapUtils.kt) in order to handle the SecurityException, safely return error and prevent the app from crashing.

vanniktech commented 1 year ago

Can't you do this yourself?

EzequielAdrianM commented 1 year ago

Created the pull request https://github.com/CanHub/Android-Image-Cropper/pull/590, but i was not able to compile the library via JitPack, it gives error: Could not resolve com.vanniktech:gradle-code-quality-tools-plugin:0.23.0.

GlebPlatoTeam commented 8 months ago

Having similar crash reportsd, although devices are not rooted (based on Crashlytics data).

@EzequielAdrianM I saw that you created PR but declined it in the end. Was there any follow-up?

vanniktech commented 2 months ago

The PR didn't make any sense. You will need to FileProvider.getUriForFile together with a filepaths.xml file