Prevent newlines and long captions selecting default payment app

This would allow attackers to spoof the default selection dialog causing the user to unkowingly change their default payment handler. Bug: 15906632 Change-Id: I49ad2a7351bd6d2c1f9a79ad9be0cbc9787ca6c3
2014-07-22 11:04:21 -07:00
parent f34c350194
commit 78ce5e8c9f
1 changed files with 17 additions and 3 deletions
--- a/src/com/android/settings/nfc/PaymentDefaultDialog.java
+++ b/src/com/android/settings/nfc/PaymentDefaultDialog.java
@@ -34,6 +34,7 @@ public final class PaymentDefaultDialog extends AlertActivity implements
        DialogInterface.OnClickListener {

    public static final String TAG = "PaymentDefaultDialog";
+    private static final int PAYMENT_APP_MAX_CAPTION_LENGTH = 40;

    private PaymentBackend mBackend;
    private ComponentName mNewDefault;
@@ -109,12 +110,14 @@ public final class PaymentDefaultDialog extends AlertActivity implements
        p.mTitle = getString(R.string.nfc_payment_set_default_label);
        if (defaultPaymentApp == null) {
            String formatString = getString(R.string.nfc_payment_set_default);
-            String msg = String.format(formatString, requestedPaymentApp.caption);
+            String msg = String.format(formatString,
+                    sanitizePaymentAppCaption(requestedPaymentApp.caption.toString()));
            p.mMessage = msg;
        } else {
            String formatString = getString(R.string.nfc_payment_set_default_instead_of);
-            String msg = String.format(formatString, requestedPaymentApp.caption,
-                    defaultPaymentApp.caption);
+            String msg = String.format(formatString,
+                    sanitizePaymentAppCaption(requestedPaymentApp.caption.toString()),
+                    sanitizePaymentAppCaption(defaultPaymentApp.caption.toString()));
            p.mMessage = msg;
        }
        p.mPositiveButtonText = getString(R.string.yes);
@@ -126,4 +129,15 @@ public final class PaymentDefaultDialog extends AlertActivity implements
        return true;
    }

+    private String sanitizePaymentAppCaption(String input) {
+        String sanitizedString = input.replace('\n', ' ').replace('\r', ' ').trim();
+
+
+        if (sanitizedString.length() > PAYMENT_APP_MAX_CAPTION_LENGTH) {
+            return sanitizedString.substring(0, PAYMENT_APP_MAX_CAPTION_LENGTH);
+        }
+
+        return sanitizedString;
+    }
+
 }