PawletOS/app_Settings
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Don't put credentials in results from externally accessible activities

Browse Source 
ConfirmLockPattern and ConfirmLockPassword return an intent that contains the
password, and as such are dangerous. Create internal versions that are locked
down, and don't put this info in the externally accessible versions.

Bug: 13741939
Change-Id: I0df4d1e720b3c33d2c9ca086636dc54f17b19bf0
This commit is contained in:
Paul Lawrence
2014-07-07 13:10:16 -07:00
parent 74e7c3e360
commit 204440427a
6 changed files with 60 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
AndroidManifest.xml
View File

@@ -1007,6 +1007,15 @@
<activity android:name="ConfirmLockPassword" <activity android:name="ConfirmLockPassword"
android:windowSoftInputMode="stateVisible|adjustResize"/> android:windowSoftInputMode="stateVisible|adjustResize"/>
<!-- Note this must not be exported since it returns the password in the intent -->
<activity android:name="ConfirmLockPattern$InternalActivity"
android:exported="false"/>
<!-- Note this must not be exported since it returns the password in the intent -->
<activity android:name="ConfirmLockPassword$InternalActivity"
android:exported="false"
android:windowSoftInputMode="stateVisible|adjustResize"/>
<activity android:name="ChooseLockGeneric" <activity android:name="ChooseLockGeneric"
android:label="@string/lockpassword_choose_lock_generic_header" android:label="@string/lockpassword_choose_lock_generic_header"
android:excludeFromRecents="true" > android:excludeFromRecents="true" >

35
src/com/android/settings/ChooseLockSettingsHelper.java
View File

@@ -54,10 +54,24 @@ public final class ChooseLockSettingsHelper {
* @see #onActivityResult(int, int, android.content.Intent) * @see #onActivityResult(int, int, android.content.Intent)
*/ */
boolean launchConfirmationActivity(int request, CharSequence message, CharSequence details) { boolean launchConfirmationActivity(int request, CharSequence message, CharSequence details) {
return launchConfirmationActivity(request, message, details, false);
}
/**
* If a pattern, password or PIN exists, prompt the user before allowing them to change it.
* @param message optional message to display about the action about to be done
* @param details optional detail message to display
* @param returnCredentials if true, put credentials into intent. Note that if this is true,
this can only be called internally.
* @return true if one exists and we launched an activity to confirm it
* @see #onActivityResult(int, int, android.content.Intent)
*/
boolean launchConfirmationActivity(int request, CharSequence message, CharSequence details,
boolean returnCredentials) {
boolean launched = false; boolean launched = false;
switch (mLockPatternUtils.getKeyguardStoredPasswordQuality()) { switch (mLockPatternUtils.getKeyguardStoredPasswordQuality()) {
case DevicePolicyManager.PASSWORD_QUALITY_SOMETHING: case DevicePolicyManager.PASSWORD_QUALITY_SOMETHING:
launched = confirmPattern(request, message, details); launched = confirmPattern(request, message, details, returnCredentials);
break; break;
case DevicePolicyManager.PASSWORD_QUALITY_NUMERIC: case DevicePolicyManager.PASSWORD_QUALITY_NUMERIC:
case DevicePolicyManager.PASSWORD_QUALITY_NUMERIC_COMPLEX: case DevicePolicyManager.PASSWORD_QUALITY_NUMERIC_COMPLEX:
@@ -65,7 +79,7 @@ public final class ChooseLockSettingsHelper {
case DevicePolicyManager.PASSWORD_QUALITY_ALPHANUMERIC: case DevicePolicyManager.PASSWORD_QUALITY_ALPHANUMERIC:
case DevicePolicyManager.PASSWORD_QUALITY_COMPLEX: case DevicePolicyManager.PASSWORD_QUALITY_COMPLEX:
// TODO: update UI layout for ConfirmPassword to show message and details // TODO: update UI layout for ConfirmPassword to show message and details
launched = confirmPassword(request); launched = confirmPassword(request, returnCredentials);
break; break;
} }
return launched; return launched;
@@ -75,10 +89,12 @@ public final class ChooseLockSettingsHelper {
* Launch screen to confirm the existing lock pattern. * Launch screen to confirm the existing lock pattern.
* @param message shown in header of ConfirmLockPattern if not null * @param message shown in header of ConfirmLockPattern if not null
* @param details shown in footer of ConfirmLockPattern if not null * @param details shown in footer of ConfirmLockPattern if not null
* @param returnCredentials if true, put credentials into intent.
* @see #onActivityResult(int, int, android.content.Intent) * @see #onActivityResult(int, int, android.content.Intent)
* @return true if we launched an activity to confirm pattern * @return true if we launched an activity to confirm pattern
*/ */
private boolean confirmPattern(int request, CharSequence message, CharSequence details) { private boolean confirmPattern(int request, CharSequence message,
CharSequence details, boolean returnCredentials) {
if (!mLockPatternUtils.isLockPatternEnabled() || !mLockPatternUtils.savedPatternExists()) { if (!mLockPatternUtils.isLockPatternEnabled() || !mLockPatternUtils.savedPatternExists()) {
return false; return false;
} }
@@ -86,7 +102,10 @@ public final class ChooseLockSettingsHelper {
// supply header and footer text in the intent // supply header and footer text in the intent
intent.putExtra(ConfirmLockPattern.HEADER_TEXT, message); intent.putExtra(ConfirmLockPattern.HEADER_TEXT, message);
intent.putExtra(ConfirmLockPattern.FOOTER_TEXT, details); intent.putExtra(ConfirmLockPattern.FOOTER_TEXT, details);
intent.setClassName("com.android.settings", "com.android.settings.ConfirmLockPattern"); intent.setClassName("com.android.settings",
returnCredentials
? ConfirmLockPattern.InternalActivity.class.getName()
: ConfirmLockPattern.class.getName());
if (mFragment != null) { if (mFragment != null) {
mFragment.startActivityForResult(intent, request); mFragment.startActivityForResult(intent, request);
} else { } else {
@@ -97,13 +116,17 @@ public final class ChooseLockSettingsHelper {
/** /**
* Launch screen to confirm the existing lock password. * Launch screen to confirm the existing lock password.
* @param returnCredentials if true, put credentials into intent.
* @see #onActivityResult(int, int, android.content.Intent) * @see #onActivityResult(int, int, android.content.Intent)
* @return true if we launched an activity to confirm password * @return true if we launched an activity to confirm password
*/ */
private boolean confirmPassword(int request) { private boolean confirmPassword(int request, boolean returnCredentials) {
if (!mLockPatternUtils.isLockPasswordEnabled()) return false; if (!mLockPatternUtils.isLockPasswordEnabled()) return false;
final Intent intent = new Intent(); final Intent intent = new Intent();
intent.setClassName("com.android.settings", "com.android.settings.ConfirmLockPassword"); intent.setClassName("com.android.settings",
returnCredentials
? ConfirmLockPassword.InternalActivity.class.getName()
: ConfirmLockPassword.class.getName());
if (mFragment != null) { if (mFragment != null) {
mFragment.startActivityForResult(intent, request); mFragment.startActivityForResult(intent, request);
} else { } else {

13
src/com/android/settings/ConfirmLockPassword.java
View File

@@ -44,6 +44,9 @@ import android.widget.TextView.OnEditorActionListener;
public class ConfirmLockPassword extends SettingsActivity { public class ConfirmLockPassword extends SettingsActivity {
public static class InternalActivity extends ConfirmLockPassword {
}
@Override @Override
public Intent getIntent() { public Intent getIntent() {
Intent modIntent = new Intent(super.getIntent()); Intent modIntent = new Intent(super.getIntent());
@@ -168,10 +171,12 @@ public class ConfirmLockPassword extends SettingsActivity {
if (mLockPatternUtils.checkPassword(pin)) { if (mLockPatternUtils.checkPassword(pin)) {
Intent intent = new Intent(); Intent intent = new Intent();
intent.putExtra(ChooseLockSettingsHelper.EXTRA_KEY_TYPE, if (getActivity() instanceof ConfirmLockPassword.InternalActivity) {
mIsAlpha ? StorageManager.CRYPT_TYPE_PASSWORD intent.putExtra(ChooseLockSettingsHelper.EXTRA_KEY_TYPE,
: StorageManager.CRYPT_TYPE_PIN); mIsAlpha ? StorageManager.CRYPT_TYPE_PASSWORD
intent.putExtra(ChooseLockSettingsHelper.EXTRA_KEY_PASSWORD, pin); : StorageManager.CRYPT_TYPE_PIN);
intent.putExtra(ChooseLockSettingsHelper.EXTRA_KEY_PASSWORD, pin);
}
getActivity().setResult(RESULT_OK, intent); getActivity().setResult(RESULT_OK, intent);
getActivity().finish(); getActivity().finish();

13
src/com/android/settings/ConfirmLockPattern.java
View File

@@ -43,6 +43,9 @@ import java.util.List;
*/ */
public class ConfirmLockPattern extends SettingsActivity { public class ConfirmLockPattern extends SettingsActivity {
public static class InternalActivity extends ConfirmLockPattern {
}
/** /**
* Names of {@link CharSequence} fields within the originating {@link Intent} * Names of {@link CharSequence} fields within the originating {@link Intent}
* that are used to configure the keyguard confirmation view's labeling. * that are used to configure the keyguard confirmation view's labeling.
@@ -266,10 +269,12 @@ public class ConfirmLockPattern extends SettingsActivity {
if (mLockPatternUtils.checkPattern(pattern)) { if (mLockPatternUtils.checkPattern(pattern)) {
Intent intent = new Intent(); Intent intent = new Intent();
intent.putExtra(ChooseLockSettingsHelper.EXTRA_KEY_TYPE, if (getActivity() instanceof ConfirmLockPattern.InternalActivity) {
StorageManager.CRYPT_TYPE_PATTERN); intent.putExtra(ChooseLockSettingsHelper.EXTRA_KEY_TYPE,
intent.putExtra(ChooseLockSettingsHelper.EXTRA_KEY_PASSWORD, StorageManager.CRYPT_TYPE_PATTERN);
LockPatternUtils.patternToString(pattern)); intent.putExtra(ChooseLockSettingsHelper.EXTRA_KEY_PASSWORD,
LockPatternUtils.patternToString(pattern));
}
getActivity().setResult(Activity.RESULT_OK, intent); getActivity().setResult(Activity.RESULT_OK, intent);
getActivity().finish(); getActivity().finish();

3
src/com/android/settings/CredentialStorage.java
View File

@@ -378,7 +378,8 @@ public final class CredentialStorage extends Activity {
boolean launched = new ChooseLockSettingsHelper(this) boolean launched = new ChooseLockSettingsHelper(this)
.launchConfirmationActivity(CONFIRM_KEY_GUARD_REQUEST, .launchConfirmationActivity(CONFIRM_KEY_GUARD_REQUEST,
res.getText(R.string.credentials_install_gesture_prompt), res.getText(R.string.credentials_install_gesture_prompt),
res.getText(R.string.credentials_install_gesture_explanation)); res.getText(R.string.credentials_install_gesture_explanation),
true);
return launched; return launched;
} }

3
src/com/android/settings/CryptKeeperSettings.java
View File

@@ -164,7 +164,8 @@ public class CryptKeeperSettings extends Fragment {
return helper.launchConfirmationActivity(request, return helper.launchConfirmationActivity(request,
res.getText(R.string.master_clear_gesture_prompt), res.getText(R.string.master_clear_gesture_prompt),
res.getText(R.string.master_clear_gesture_explanation)); res.getText(R.string.master_clear_gesture_explanation),
true);
} }
@Override @Override