PawletOS/app_Settings
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Prevent newlines and long captions selecting default payment app

Browse Source 
This would allow attackers to spoof the default selection
dialog causing the user to unkowingly change their default
payment handler.

Bug: 15906632
Change-Id: I49ad2a7351bd6d2c1f9a79ad9be0cbc9787ca6c3
This commit is contained in:
Andres Morales
2014-07-22 11:04:21 -07:00
parent f34c350194
commit 78ce5e8c9f
1 changed files with 17 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
src/com/android/settings/nfc/PaymentDefaultDialog.java
View File

@@ -34,6 +34,7 @@ public final class PaymentDefaultDialog extends AlertActivity implements
DialogInterface.OnClickListener { DialogInterface.OnClickListener {
public static final String TAG = "PaymentDefaultDialog"; public static final String TAG = "PaymentDefaultDialog";
private static final int PAYMENT_APP_MAX_CAPTION_LENGTH = 40;
private PaymentBackend mBackend; private PaymentBackend mBackend;
private ComponentName mNewDefault; private ComponentName mNewDefault;
@@ -109,12 +110,14 @@ public final class PaymentDefaultDialog extends AlertActivity implements
p.mTitle = getString(R.string.nfc_payment_set_default_label); p.mTitle = getString(R.string.nfc_payment_set_default_label);
if (defaultPaymentApp == null) { if (defaultPaymentApp == null) {
String formatString = getString(R.string.nfc_payment_set_default); String formatString = getString(R.string.nfc_payment_set_default);
String msg = String.format(formatString, requestedPaymentApp.caption); String msg = String.format(formatString,
sanitizePaymentAppCaption(requestedPaymentApp.caption.toString()));
p.mMessage = msg; p.mMessage = msg;
} else { } else {
String formatString = getString(R.string.nfc_payment_set_default_instead_of); String formatString = getString(R.string.nfc_payment_set_default_instead_of);
String msg = String.format(formatString, requestedPaymentApp.caption, String msg = String.format(formatString,
defaultPaymentApp.caption); sanitizePaymentAppCaption(requestedPaymentApp.caption.toString()),
sanitizePaymentAppCaption(defaultPaymentApp.caption.toString()));
p.mMessage = msg; p.mMessage = msg;
} }
p.mPositiveButtonText = getString(R.string.yes); p.mPositiveButtonText = getString(R.string.yes);
@@ -126,4 +129,15 @@ public final class PaymentDefaultDialog extends AlertActivity implements
return true; return true;
} }
private String sanitizePaymentAppCaption(String input) {
String sanitizedString = input.replace('\n', ' ').replace('\r', ' ').trim();
if (sanitizedString.length() > PAYMENT_APP_MAX_CAPTION_LENGTH) {
return sanitizedString.substring(0, PAYMENT_APP_MAX_CAPTION_LENGTH);
}
return sanitizedString;
}
} }