From 91399607febcdc5fa4a26de2e7a5f175653af89c Mon Sep 17 00:00:00 2001 From: Tsung-Mao Fang Date: Wed, 4 Mar 2020 18:18:41 +0800 Subject: [PATCH] Fix pendingIntent in SettingsSliceProvider could be Hijacked A malicious app is able to obtain this pending intent. It can then mutate all fields except for the action and launch the intent. This can be used to launch any activity with the ACTION_SETTINGS action. So, we enfore assign the package name for this intent, it only can launch the settings app. Fix: 147355897 Test: a) Install the new settings apk, and it won't launch other screen. (See details in bug) b) Start the settings search, slice search results work as normal. Change-Id: Ie954d8a4b7153d6a4cac40621f363b45185990f2 (cherry picked from commit b3c0a2a6c1ce4eaa0853101506760f87121d4b99) Merged-In: Ie954d8a4b7153d6a4cac40621f363b45185990f2 --- src/com/android/settings/slices/SettingsSliceProvider.java | 4 +++- .../android/settings/slices/SettingsSliceProviderTest.java | 5 ++++- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/src/com/android/settings/slices/SettingsSliceProvider.java b/src/com/android/settings/slices/SettingsSliceProvider.java index 9b5fbd86253..8b25d3a0e7a 100644 --- a/src/com/android/settings/slices/SettingsSliceProvider.java +++ b/src/com/android/settings/slices/SettingsSliceProvider.java @@ -42,6 +42,7 @@ import androidx.slice.Slice; import androidx.slice.SliceProvider; import com.android.settings.R; +import com.android.settings.Utils; import com.android.settings.bluetooth.BluetoothSliceBuilder; import com.android.settings.core.BasePreferenceController; import com.android.settings.notification.ZenModeSliceBuilder; @@ -303,7 +304,8 @@ public class SettingsSliceProvider extends SliceProvider { @Override public PendingIntent onCreatePermissionRequest(@NonNull Uri sliceUri, @NonNull String callingPackage) { - final Intent settingsIntent = new Intent(Settings.ACTION_SETTINGS); + final Intent settingsIntent = new Intent(Settings.ACTION_SETTINGS) + .setPackage(Utils.SETTINGS_PACKAGE_NAME); final PendingIntent noOpIntent = PendingIntent.getActivity(getContext(), 0 /* requestCode */, settingsIntent, 0 /* flags */); return noOpIntent; diff --git a/tests/robotests/src/com/android/settings/slices/SettingsSliceProviderTest.java b/tests/robotests/src/com/android/settings/slices/SettingsSliceProviderTest.java index 96aaf46ef35..20a2073af2a 100644 --- a/tests/robotests/src/com/android/settings/slices/SettingsSliceProviderTest.java +++ b/tests/robotests/src/com/android/settings/slices/SettingsSliceProviderTest.java @@ -50,6 +50,7 @@ import androidx.slice.SliceProvider; import androidx.slice.widget.SliceLiveData; import com.android.settings.R; +import com.android.settings.Utils; import com.android.settings.testutils.DatabaseTestUtils; import com.android.settings.testutils.FakeToggleController; import com.android.settings.testutils.shadow.ShadowBluetoothAdapter; @@ -450,8 +451,10 @@ public class SettingsSliceProviderTest { public void onCreatePermissionRequest_returnsSettingIntent() { final PendingIntent pendingIntent = mProvider.onCreatePermissionRequest( CustomSliceRegistry.FLASHLIGHT_SLICE_URI, "com.android.whaaaat"); + final Intent settingsIntent = new Intent(Settings.ACTION_SETTINGS) + .setPackage(Utils.SETTINGS_PACKAGE_NAME); PendingIntent settingsPendingIntent = - PendingIntent.getActivity(mContext, 0, new Intent(Settings.ACTION_SETTINGS), 0); + PendingIntent.getActivity(mContext, 0, settingsIntent, 0); assertThat(pendingIntent).isEqualTo(settingsPendingIntent); }