From 77aa51e5b7261638590af1d69ac03f4c8cd25692 Mon Sep 17 00:00:00 2001
From: Amith Yamasani <yamasani@google.com>
Date: Wed, 25 Sep 2013 14:05:33 -0700
Subject: [PATCH] Make sure that external callers cannot pass in the confirm
 bypass extra

Security fix for vulnerability where an app could launch into the screen lock
change dialog without first confirming the existing password/pattern.

Also, make sure that the fragments are launched with the correct corresponding
activity.

Bug: 9858403
Change-Id: I0f2c00a44abeb624c6fba0497bf6036a6f1a4564
---
 AndroidManifest.xml                              |  6 +++++-
 src/com/android/settings/ChooseLockGeneric.java  | 10 ++++++++--
 src/com/android/settings/ChooseLockPassword.java |  3 +++
 src/com/android/settings/ChooseLockPattern.java  |  5 ++++-
 4 files changed, 20 insertions(+), 4 deletions(-)

diff --git a/AndroidManifest.xml b/AndroidManifest.xml
index cf1f888ab4d..a491a1b6fcb 100644
--- a/AndroidManifest.xml
+++ b/AndroidManifest.xml
@@ -959,7 +959,6 @@
 
         <!-- Second and third-level settings -->
 
-
         <!-- Lock screen settings -->
         <activity android:name="ConfirmLockPattern"/>
 
@@ -975,6 +974,11 @@
             </intent-filter>
         </activity>
 
+        <activity android:name="ChooseLockGeneric$InternalActivity" android:exported="false"
+            android:label="@string/lockpassword_choose_lock_generic_header"
+            android:excludeFromRecents="true"
+        />
+
         <activity android:name="ChooseLockPattern" android:exported="false"/>
 
         <activity android:name="ChooseLockPassword" android:exported="false"
diff --git a/src/com/android/settings/ChooseLockGeneric.java b/src/com/android/settings/ChooseLockGeneric.java
index 0f9fcee581a..81fb57a3088 100644
--- a/src/com/android/settings/ChooseLockGeneric.java
+++ b/src/com/android/settings/ChooseLockGeneric.java
@@ -45,6 +45,9 @@ public class ChooseLockGeneric extends PreferenceActivity {
         return modIntent;
     }
 
+    public static class InternalActivity extends ChooseLockGeneric {
+    }
+
     public static class ChooseLockGenericFragment extends SettingsPreferenceFragment {
         private static final int MIN_PASSWORD_LENGTH = 4;
         private static final String KEY_UNLOCK_BACKUP_INFO = "unlock_backup_info";
@@ -80,7 +83,9 @@ public class ChooseLockGeneric extends PreferenceActivity {
             // Defaults to needing to confirm credentials
             final boolean confirmCredentials = getActivity().getIntent()
                 .getBooleanExtra(CONFIRM_CREDENTIALS, true);
-            mPasswordConfirmed = !confirmCredentials;
+            if (getActivity() instanceof ChooseLockGeneric.InternalActivity) {
+                mPasswordConfirmed = !confirmCredentials;
+            }
 
             if (savedInstanceState != null) {
                 mPasswordConfirmed = savedInstanceState.getBoolean(PASSWORD_CONFIRMED);
@@ -303,7 +308,8 @@ public class ChooseLockGeneric extends PreferenceActivity {
         }
 
         private Intent getBiometricSensorIntent() {
-            Intent fallBackIntent = new Intent().setClass(getActivity(), ChooseLockGeneric.class);
+            Intent fallBackIntent = new Intent().setClass(getActivity(),
+                    ChooseLockGeneric.InternalActivity.class);
             fallBackIntent.putExtra(LockPatternUtils.LOCKSCREEN_BIOMETRIC_WEAK_FALLBACK, true);
             fallBackIntent.putExtra(CONFIRM_CREDENTIALS, false);
             fallBackIntent.putExtra(EXTRA_SHOW_FRAGMENT_TITLE,
diff --git a/src/com/android/settings/ChooseLockPassword.java b/src/com/android/settings/ChooseLockPassword.java
index 2940442417a..3a3833a038f 100644
--- a/src/com/android/settings/ChooseLockPassword.java
+++ b/src/com/android/settings/ChooseLockPassword.java
@@ -153,6 +153,9 @@ public class ChooseLockPassword extends PreferenceActivity {
             super.onCreate(savedInstanceState);
             mLockPatternUtils = new LockPatternUtils(getActivity());
             Intent intent = getActivity().getIntent();
+            if (!(getActivity() instanceof ChooseLockPassword)) {
+                throw new SecurityException("Fragment contained in wrong activity");
+            }
             mRequestedQuality = Math.max(intent.getIntExtra(LockPatternUtils.PASSWORD_TYPE_KEY,
                     mRequestedQuality), mLockPatternUtils.getRequestedPasswordQuality());
             mPasswordMinLength = Math.max(
diff --git a/src/com/android/settings/ChooseLockPattern.java b/src/com/android/settings/ChooseLockPattern.java
index 180eee19154..8f149b8a3e5 100644
--- a/src/com/android/settings/ChooseLockPattern.java
+++ b/src/com/android/settings/ChooseLockPattern.java
@@ -301,6 +301,9 @@ public class ChooseLockPattern extends PreferenceActivity {
         public void onCreate(Bundle savedInstanceState) {
             super.onCreate(savedInstanceState);
             mChooseLockSettingsHelper = new ChooseLockSettingsHelper(getActivity());
+            if (!(getActivity() instanceof ChooseLockPattern)) {
+                throw new SecurityException("Fragment contained in wrong activity");
+            }
         }
 
         @Override
@@ -331,7 +334,7 @@ public class ChooseLockPattern extends PreferenceActivity {
             topLayout.setDefaultTouchRecepient(mLockPatternView);
 
             final boolean confirmCredentials = getActivity().getIntent()
-                    .getBooleanExtra("confirm_credentials", false);
+                    .getBooleanExtra("confirm_credentials", true);
 
             if (savedInstanceState == null) {
                 if (confirmCredentials) {