PawletOS/app_Settings
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

am db591467: am 737d2d53: am 61ced6d4: am 01137c20: am 663b4e97: am 37b58a42: SECURITY: Don\'t pass a usable Pending Intent to 3rd parties.

Browse Source 
* commit 'db591467f6ae0e082c0ce627874a851f1926d63a':
  SECURITY: Don't pass a usable Pending Intent to 3rd parties.
This commit is contained in:
Carlos Valdivia
2014-09-11 17:12:11 +00:00
committed by Android Git Automerger
parent 2719eebfc5 db591467f6
commit ea2fa0d98a
1 changed files with 17 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
src/com/android/settings/accounts/AddAccountSettings.java
View File

@@ -23,6 +23,7 @@ import android.accounts.AuthenticatorException;
import android.accounts.OperationCanceledException; import android.accounts.OperationCanceledException;
import android.app.Activity; import android.app.Activity;
import android.app.PendingIntent; import android.app.PendingIntent;
import android.content.ComponentName;
import android.content.Context; import android.content.Context;
import android.content.Intent; import android.content.Intent;
import android.os.Bundle; import android.os.Bundle;
@@ -62,6 +63,7 @@ public class AddAccountSettings extends Activity {
* application. * application.
*/ */
private static final String KEY_CALLER_IDENTITY = "pendingIntent"; private static final String KEY_CALLER_IDENTITY = "pendingIntent";
private static final String SHOULD_NOT_RESOLVE = "SHOULDN'T RESOLVE!";
private static final String TAG = "AccountSettings"; private static final String TAG = "AccountSettings";
@@ -184,7 +186,21 @@ public class AddAccountSettings extends Activity {
private void addAccount(String accountType) { private void addAccount(String accountType) {
Bundle addAccountOptions = new Bundle(); Bundle addAccountOptions = new Bundle();
mPendingIntent = PendingIntent.getBroadcast(this, 0, new Intent(), 0); /*
* The identityIntent is for the purposes of establishing the identity
* of the caller and isn't intended for launching activities, services
* or broadcasts.
*
* Unfortunately for legacy reasons we still need to support this. But
* we can cripple the intent so that 3rd party authenticators can't
* fill in addressing information and launch arbitrary actions.
*/
Intent identityIntent = new Intent();
identityIntent.setComponent(new ComponentName(SHOULD_NOT_RESOLVE, SHOULD_NOT_RESOLVE));
identityIntent.setAction(SHOULD_NOT_RESOLVE);
identityIntent.addCategory(SHOULD_NOT_RESOLVE);
mPendingIntent = PendingIntent.getBroadcast(this, 0, identityIntent, 0);
addAccountOptions.putParcelable(KEY_CALLER_IDENTITY, mPendingIntent); addAccountOptions.putParcelable(KEY_CALLER_IDENTITY, mPendingIntent);
addAccountOptions.putBoolean(EXTRA_HAS_MULTIPLE_USERS, Utils.hasMultipleUsers(this)); addAccountOptions.putBoolean(EXTRA_HAS_MULTIPLE_USERS, Utils.hasMultipleUsers(this));
AccountManager.get(this).addAccount( AccountManager.get(this).addAccount(