Any reason to export it totally?
If not, then please don't.
I would go with "yes" then I would add 2 security checks:
a.1) force the grantUriPermission and make it exported=false
a.2) grant the Uri during sendAction
b) I would still canonical check it (as per above)
File f = new File(DIR, uri.getLastPathSegment());
if (!f.getCanonicalPath().startsWith(DIR)) {
throw new IllegalArgumentException();
}
Hi.
The LocalFileProvider provider is vulnerable to IDOR and to path transveral https://support.google.com/faqs/answer/7496913?hl=en.
Any reason to export it totally? If not, then please don't.
I would go with "yes" then I would add 2 security checks: a.1) force the grantUriPermission and make it exported=false a.2) grant the Uri during sendAction
b) I would still canonical check it (as per above)