ReadArticleActivity enables WebView file access on opt-in but never turns it back off

[jim-daf]

ReadArticleActivity.initWebView() does this:

if (settings.isImageCacheEnabled() && !webViewSettings.getAllowFileAccess()) {
    Log.d(TAG, "initWebView() enabling WebView file access");
    webViewSettings.setAllowFileAccess(true);
}

It enables setAllowFileAccess(true) only when the image cache is on, which on the face of it is sensible. The problem is that on minSdkVersion 23 the WebView default for setAllowFileAccess is already true on Android 9 and earlier. So the conditional never explicitly calls setAllowFileAccess(false) when the user has the image cache turned off. A WebView created on those Android versions carries the default-on flag regardless of the cache setting.

The article WebView attaches two JS bridges (hostWebViewTextController and hostAnnotationController) via addJavascriptInterface(...), so any code path that loads a file:// document into this WebView would let a same-origin file:// page reach both bridges. CWE-200 maps to the original setAllowFileAccess(true) posture.

Suggested fix:

boolean needsFileAccess = settings.isImageCacheEnabled();
if (webViewSettings.getAllowFileAccess() != needsFileAccess) {
    Log.d(TAG, "initWebView() setting WebView file access to " + needsFileAccess);
    webViewSettings.setAllowFileAccess(needsFileAccess);
}

Behaviour with the image cache enabled is unchanged. With the image cache off, the WebView is explicitly locked down on every supported Android version, not only API 30+. loadDataWithBaseURL("file:///android_asset/", ...) and file:///android_asset/* continue to work regardless of the flag.

A PR is open at #1497.