PawletOS/app_Settings
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix pendingIntent in SettingsSliceProvider could be Hijacked

Browse Source 
A malicious app is able to obtain this pending intent.
It can then mutate all fields except for the action and
launch the intent. This can be used to launch any activity
with the ACTION_SETTINGS action.

So, we enfore assign the package name for this intent,
it only can launch the settings app.

Fix: 147355897
Test: a) Install the new settings apk, and it won't launch other screen.
(See details in bug)
b) Start the settings search, slice search results work as normal.

Change-Id: Ie954d8a4b7153d6a4cac40621f363b45185990f2
This commit is contained in:
Tsung-Mao Fang
2020-03-04 18:18:41 +08:00
parent dcf18af961
commit b3c0a2a6c1
2 changed files with 7 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
src/com/android/settings/slices/SettingsSliceProvider.java
View File

@@ -44,6 +44,7 @@ import androidx.slice.Slice;
import androidx.slice.SliceProvider;
import com.android.settings.R;
import com.android.settings.Utils;
import com.android.settings.bluetooth.BluetoothSliceBuilder;
import com.android.settings.core.BasePreferenceController;
import com.android.settings.notification.zen.ZenModeSliceBuilder;
@@ -322,7 +323,8 @@ public class SettingsSliceProvider extends SliceProvider {
@Override
public PendingIntent onCreatePermissionRequest(@NonNull Uri sliceUri,
@NonNull String callingPackage) {
final Intent settingsIntent = new Intent(Settings.ACTION_SETTINGS);
final Intent settingsIntent = new Intent(Settings.ACTION_SETTINGS)
.setPackage(Utils.SETTINGS_PACKAGE_NAME);
final PendingIntent noOpIntent = PendingIntent.getActivity(getContext(),
0 /* requestCode */, settingsIntent, 0 /* flags */);
return noOpIntent;

5
tests/robotests/src/com/android/settings/slices/SettingsSliceProviderTest.java
View File

@@ -50,6 +50,7 @@ import androidx.slice.Slice;
import androidx.slice.SliceProvider;
import androidx.slice.widget.SliceLiveData;
import com.android.settings.Utils;
import com.android.settings.testutils.DatabaseTestUtils;
import com.android.settings.testutils.FakeToggleController;
import com.android.settings.testutils.shadow.ShadowBluetoothAdapter;
@@ -530,8 +531,10 @@ public class SettingsSliceProviderTest {
public void onCreatePermissionRequest_returnsSettingIntent() {
final PendingIntent pendingIntent = mProvider.onCreatePermissionRequest(
CustomSliceRegistry.FLASHLIGHT_SLICE_URI, "com.android.whaaaat");
final Intent settingsIntent = new Intent(Settings.ACTION_SETTINGS)
.setPackage(Utils.SETTINGS_PACKAGE_NAME);
PendingIntent settingsPendingIntent =
PendingIntent.getActivity(mContext, 0, new Intent(Settings.ACTION_SETTINGS), 0);
PendingIntent.getActivity(mContext, 0, settingsIntent, 0);
assertThat(pendingIntent).isEqualTo(settingsPendingIntent);
}