From 78ce5e8c9f9e01502f5a544b7488b1ee000a2b6f Mon Sep 17 00:00:00 2001
From: Andres Morales <anmorales@google.com>
Date: Tue, 22 Jul 2014 11:04:21 -0700
Subject: [PATCH] Prevent newlines and long captions selecting default payment
 app

This would allow attackers to spoof the default selection
dialog causing the user to unkowingly change their default
payment handler.

Bug: 15906632
Change-Id: I49ad2a7351bd6d2c1f9a79ad9be0cbc9787ca6c3
---
 .../settings/nfc/PaymentDefaultDialog.java    | 20 ++++++++++++++++---
 1 file changed, 17 insertions(+), 3 deletions(-)

diff --git a/src/com/android/settings/nfc/PaymentDefaultDialog.java b/src/com/android/settings/nfc/PaymentDefaultDialog.java
index 6bc29e19a6c..33ac94743c1 100644
--- a/src/com/android/settings/nfc/PaymentDefaultDialog.java
+++ b/src/com/android/settings/nfc/PaymentDefaultDialog.java
@@ -34,6 +34,7 @@ public final class PaymentDefaultDialog extends AlertActivity implements
         DialogInterface.OnClickListener {
 
     public static final String TAG = "PaymentDefaultDialog";
+    private static final int PAYMENT_APP_MAX_CAPTION_LENGTH = 40;
 
     private PaymentBackend mBackend;
     private ComponentName mNewDefault;
@@ -109,12 +110,14 @@ public final class PaymentDefaultDialog extends AlertActivity implements
         p.mTitle = getString(R.string.nfc_payment_set_default_label);
         if (defaultPaymentApp == null) {
             String formatString = getString(R.string.nfc_payment_set_default);
-            String msg = String.format(formatString, requestedPaymentApp.caption);
+            String msg = String.format(formatString,
+                    sanitizePaymentAppCaption(requestedPaymentApp.caption.toString()));
             p.mMessage = msg;
         } else {
             String formatString = getString(R.string.nfc_payment_set_default_instead_of);
-            String msg = String.format(formatString, requestedPaymentApp.caption,
-                    defaultPaymentApp.caption);
+            String msg = String.format(formatString,
+                    sanitizePaymentAppCaption(requestedPaymentApp.caption.toString()),
+                    sanitizePaymentAppCaption(defaultPaymentApp.caption.toString()));
             p.mMessage = msg;
         }
         p.mPositiveButtonText = getString(R.string.yes);
@@ -126,4 +129,15 @@ public final class PaymentDefaultDialog extends AlertActivity implements
         return true;
     }
 
+    private String sanitizePaymentAppCaption(String input) {
+        String sanitizedString = input.replace('\n', ' ').replace('\r', ' ').trim();
+
+
+        if (sanitizedString.length() > PAYMENT_APP_MAX_CAPTION_LENGTH) {
+            return sanitizedString.substring(0, PAYMENT_APP_MAX_CAPTION_LENGTH);
+        }
+
+        return sanitizedString;
+    }
+
 }