Allows to launch only authenticator owned activities
- 3rd party developers can define himself-authenticator
and use the accountPreferences attribute to load the
predefined preference UI.
- If a developer defines an action intent to launch the
other activity in xml and it would return true due
to the true exported attribute and no permission.
- To avoid launching arbitrary activity. Here allows
to launch only authenticator owned activities.
Bug: 150946634
Test: make RunSettingsRoboTests -j ROBOTEST_FILTER=com.android.settings.accounts
Test: PoC app
Change-Id: I5ce1a0b3838db7b3fbe48c6ea23d5f093d625cdb
Merged-In: I5ce1a0b3838db7b3fbe48c6ea23d5f093d625cdb
(cherry picked from commit d6d8f98844)
This commit is contained in:
Sunny Shao
@@ -194,14 +194,7 @@ public class AccountTypePreferenceLoader {
|
|||||||
ActivityInfo resolvedActivityInfo = resolveInfo.activityInfo;
|
ActivityInfo resolvedActivityInfo = resolveInfo.activityInfo;
|
||||||
ApplicationInfo resolvedAppInfo = resolvedActivityInfo.applicationInfo;
|
ApplicationInfo resolvedAppInfo = resolvedActivityInfo.applicationInfo;
|
||||||
try {
|
try {
|
||||||
if (resolvedActivityInfo.exported) {
|
// Allows to launch only authenticator owned activities.
|
||||||
if (resolvedActivityInfo.permission == null) {
|
|
||||||
return true; // exported activity without permission.
|
|
||||||
} else if (pm.checkPermission(resolvedActivityInfo.permission,
|
|
||||||
authDesc.packageName) == PackageManager.PERMISSION_GRANTED) {
|
|
||||||
return true;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
ApplicationInfo authenticatorAppInf = pm.getApplicationInfo(authDesc.packageName, 0);
|
ApplicationInfo authenticatorAppInf = pm.getApplicationInfo(authDesc.packageName, 0);
|
||||||
return resolvedAppInfo.uid == authenticatorAppInf.uid;
|
return resolvedAppInfo.uid == authenticatorAppInf.uid;
|
||||||
} catch (NameNotFoundException e) {
|
} catch (NameNotFoundException e) {
|
||||||
|
|||||||
Reference in New Issue
Block a user