SecurityException when trying to crop an image from Google Photos

[iveyalkin]

Do you want to request a feature or report a bug? bug

What is the current behavior? Application crashes

What is the expected behavior? Don't crash

If the current behavior is a bug, please provide the steps to reproduce and if possible a minimal demo of the problem. See https://github.com/Yalantis/uCrop/issues/212

Please attach any image files, URL and stack trace that can be used to reproduce the bug.

Caused by java.lang.SecurityException: Permission Denial: reading com.google.android.apps.photos.contentprovider.impl.MediaContentProvider uri content://com.google.android.apps.photos.contentprovider/0/1/content%3A%2F%2Fmedia%2Fexternal%2Fimages%2Fmedia%2F9111/ORIGINAL/NONE/585071299 from pid=15789, uid=10118 requires the provider be exported, or grantUriPermission()
       at android.os.Parcel.readException(Parcel.java:1693)
       at android.database.DatabaseUtils.readExceptionFromParcel(DatabaseUtils.java:183)
       at android.database.DatabaseUtils.readExceptionFromParcel(DatabaseUtils.java:135)
       at android.content.ContentProviderProxy.query(ContentProviderNative.java:421)
       at android.content.ContentResolver.query(ContentResolver.java:536)
       at android.content.ContentResolver.query(ContentResolver.java:478)
       at com.yalantis.ucrop.util.FileUtils.getDataColumn(FileUtils.java:109)
       at com.yalantis.ucrop.util.FileUtils.getPath(FileUtils.java:194)
       at com.yalantis.ucrop.task.BitmapLoadTask.processInputUri(BitmapLoadTask.java:171)
       at com.yalantis.ucrop.task.BitmapLoadTask.doInBackground(BitmapLoadTask.java:90)
       at com.yalantis.ucrop.task.BitmapLoadTask.doInBackground(BitmapLoadTask.java:41)
       at android.os.AsyncTask$2.call(AsyncTask.java:304)
       at java.util.concurrent.FutureTask.run(FutureTask.java:237)
       at android.os.AsyncTask$SerialExecutor$1.run(AsyncTask.java:243)
       at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1133)
       at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:607)
       at java.lang.Thread.run(Thread.java:762)

Which versions of uCrop, and which Android API versions are affected by this issue? Did this work in previous versions of uCrop? We use uCrop 2.2.0. At least devices with API 21+ are affected.

Actually, it's fixed in https://github.com/Yalantis/uCrop/pull/227 but the latest release that is 2.2.1 seems doesn't include the fix. Are you planning for releasing it and when if so? Thank you!

[KucherenkoIhor]

Hello, @iveyalkin !

Main cause of this problem is "Google Photo" shares ContentUri with fixed string like "content://com.google.android.apps.photos.contentprovider/1/1" and connect it with a static temporary values. "Google Photo" does not provide the file path when the actual Activity or Context which receives Intent.ACTION_SEND. Maybe, it is the policy of "Google Photo", not to expose the private image file to other app. For example, you defines 2 Activity in Manifest file, Actvity A and Activity B. Activity A for receives the Intent.ACTION_SEND. Activity B for processing the image file. Activity A forward the intent to Activity B. Then Activity B is not the correct Activity to "Google Photo", you encounters the SecurityException. So, I recommend you to save the file temporarily on Activity A and use the temporary file path on Activity B.

[iveyalkin]

Thank you for such a detailed explanation! [UPDATED] Yeah! You are totally right. I haven't properly evaluated the source issue. And yes, https://github.com/Yalantis/uCrop/pull/227 doesn't help due to the way the URI permissions granted by the Photos app.

~However, if I got it right, it would happen constantly on a broad variety of devices with various Android APIs. In fact, according to our Crashlytics reports, only a small portion of our users are affected by the issue.~ ~As I mentioned earlier, any particular ETA for https://github.com/Yalantis/uCrop/pull/227 ? Maybe you've decided to not release it for certain reason. Could you elaborate on that?~ Thanks!