Perform additional URI validation in ShareRepository.

app/src/main/java/org/thoughtcrime/securesms/sharing/ShareRepository.java

@@ -28,6 +28,7 @@ import org.thoughtcrime.securesms.mms.PartAuthority;
 import org.thoughtcrime.securesms.providers.BlobProvider;
 import org.thoughtcrime.securesms.util.MediaUtil;
 import org.thoughtcrime.securesms.util.TextSecurePreferences;
+import org.thoughtcrime.securesms.util.UriUtil;
 import org.thoughtcrime.securesms.util.Util;
 import org.whispersystems.libsignal.util.guava.Optional;
 
@@ -77,6 +78,10 @@ class ShareRepository {
       return ShareData.forPrimitiveTypes();
     }
 
+    if (!UriUtil.isValidExternalUri(context, uri)) {
+      throw new IOException("Invalid external URI!");
+    }
+
     mimeType = getMimeType(context, uri, mimeType);
 
     if (PartAuthority.isLocalUri(uri)) {

app/src/main/java/org/thoughtcrime/securesms/util/UriUtil.java

@@ -0,0 +1,33 @@
+package org.thoughtcrime.securesms.util;
+
+import android.content.ContentResolver;
+import android.content.Context;
+import android.net.Uri;
+
+import androidx.annotation.NonNull;
+
+import java.io.File;
+import java.io.IOException;
+
+public final class UriUtil {
+
+  /**
+   * Ensures that an external URI is valid and doesn't contain any references to internal files or
+   * any other trickiness.
+   */
+  public static boolean isValidExternalUri(@NonNull Context context, @NonNull Uri uri) {
+    if (ContentResolver.SCHEME_FILE.equals(uri.getScheme())) {
+      try {
+        File file = new File(uri.getPath());
+
+        return file.getCanonicalPath().equals(file.getPath()) &&
+               !file.getCanonicalPath().startsWith("/data")   &&
+               !file.getCanonicalPath().contains(context.getPackageName());
+      } catch (IOException e) {
+        return false;
+      }
+    } else {
+      return true;
+    }
+  }
+}