From 38a58371a03fe310eefbcc68234c45a2e44ea3e9 Mon Sep 17 00:00:00 2001
From: "Tadashi G. Takaoka" <takaoka@google.com>
Date: Wed, 19 Jul 2017 14:05:02 +0900
Subject: [PATCH] Remove SHOW_INPUT_METHOD_PICKER receiver

Although there is a security check for IMM#showInputMethodPicker() [1],
any background application can virtually call the method via explicit
broadcast intent to Settings app.

Since showing IME picker from the notification has implemented in
InputMethodManagerService using protected-broadcast [2], the receiver in
Settings app isn't necessary and should be removed to close the security
bypass.

Note that this broadcast receiver stops working from Android-O due to
background check [3].

 [1]: I4f0fc21268200c64d12b31ca54416acfbf62f37b
 [2]: Id36c8c34159bea8b72557b40bcf024d401f580b6
 [3]: https://developer.android.com/preview/features/background.html#broadcasts

Test: The following broadcast intent will not show IME picker.
  $ adb shell am broadcast \
        -a android.settings.SHOW_INPUT_METHOD_PICKER \
        com.android.settings
Fixes: 64008672
Bug: 63644555
Change-Id: Id990c66516c9b3ed7ada6891746ec0e0eecbe545
---
 AndroidManifest.xml                           |  7 ----
 .../InputMethodDialogReceiver.java            | 32 -------------------
 2 files changed, 39 deletions(-)
 delete mode 100644 src/com/android/settings/inputmethod/InputMethodDialogReceiver.java

diff --git a/AndroidManifest.xml b/AndroidManifest.xml
index c88089ecde0..4eee1444820 100644
--- a/AndroidManifest.xml
+++ b/AndroidManifest.xml
@@ -670,13 +670,6 @@
                 android:value="true" />
         </activity>
 
-        <receiver android:name=".inputmethod.InputMethodDialogReceiver"
-                android:enabled="true">
-            <intent-filter>
-                <action android:name="android.settings.SHOW_INPUT_METHOD_PICKER" />
-            </intent-filter>
-        </receiver>
-
         <activity android:name="Settings$UserDictionarySettingsActivity"
                 android:label="@string/user_dict_settings_title"
                 android:taskAffinity="com.android.settings"
diff --git a/src/com/android/settings/inputmethod/InputMethodDialogReceiver.java b/src/com/android/settings/inputmethod/InputMethodDialogReceiver.java
deleted file mode 100644
index e442e883b80..00000000000
--- a/src/com/android/settings/inputmethod/InputMethodDialogReceiver.java
+++ /dev/null
@@ -1,32 +0,0 @@
-/*
- * Copyright (C) 2011 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package com.android.settings.inputmethod;
-
-import android.content.BroadcastReceiver;
-import android.content.Context;
-import android.content.Intent;
-import android.provider.Settings;
-import android.view.inputmethod.InputMethodManager;
-
-public class InputMethodDialogReceiver extends BroadcastReceiver {
-    @Override
-    public void onReceive(Context context, Intent intent) {
-        if (Settings.ACTION_SHOW_INPUT_METHOD_PICKER.equals(intent.getAction())) {
-            ((InputMethodManager) context.getSystemService(Context.INPUT_METHOD_SERVICE))
-                    .showInputMethodPicker(true /* showAuxiliarySubtypes */);
-        }
-    }
-}