Fix the security vulnerability issue in AppLocalePickerActivity

Examine whether the packages is allowed to display app locales list when creating the AppLocalePickerActivity, and examine whether the target user is the same as the calling user. Bug: 257954050 Test: Follows the test step listed in b/257954050#comment14 Change-Id: I2e25a308bcba6ea0edee89c7a78465f766bdbeac
2023-01-09 18:18:11 +08:00
parent 7dfe918785
commit ed9cbdea18
2 changed files with 180 additions and 8 deletions
--- a/src/com/android/settings/localepicker/AppLocalePickerActivity.java
+++ b/src/com/android/settings/localepicker/AppLocalePickerActivity.java
@@ -19,6 +19,7 @@ package com.android.settings.localepicker;
 import android.app.FragmentTransaction;
 import android.app.LocaleManager;
 import android.content.Context;
+import android.content.pm.PackageManager;
 import android.net.Uri;
 import android.os.Bundle;
 import android.os.LocaleList;
@@ -34,6 +35,7 @@ import com.android.internal.app.LocalePickerWithRegion;
 import com.android.internal.app.LocaleStore;
 import com.android.settings.R;
 import com.android.settings.applications.AppInfoBase;
+import com.android.settings.applications.AppLocaleUtil;
 import com.android.settings.applications.appinfo.AppLocaleDetails;
 import com.android.settings.core.SettingsBaseActivity;

@@ -64,12 +66,18 @@ public class AppLocalePickerActivity extends SettingsBaseActivity
        }
        mContextAsUser = this;
        if (getIntent().hasExtra(AppInfoBase.ARG_PACKAGE_UID)) {
-            int userId = getIntent().getIntExtra(AppInfoBase.ARG_PACKAGE_UID, -1);
-            if (userId != -1) {
-                UserHandle userHandle = UserHandle.getUserHandleForUid(userId);
+            int uid = getIntent().getIntExtra(AppInfoBase.ARG_PACKAGE_UID, -1);
+
+            if (uid != -1) {
+                UserHandle userHandle = UserHandle.getUserHandleForUid(uid);
                mContextAsUser = createContextAsUser(userHandle, 0);
            }
        }
+        if (!canDisplayLocaleUi() || mContextAsUser.getUserId() != UserHandle.myUserId()) {
+            Log.w(TAG, "Not allow to display Locale Settings UI.");
+            finish();
+            return;
+        }

        setTitle(R.string.app_locale_picker_title);
        getActionBar().setDisplayHomeAsUpEnabled(true);
@@ -160,4 +168,18 @@ public class AppLocalePickerActivity extends SettingsBaseActivity
                .replace(R.id.content_frame, mLocalePickerWithRegion)
                .commit();
    }
+
+    private boolean canDisplayLocaleUi() {
+        try {
+            PackageManager packageManager = mContextAsUser.getPackageManager();
+            return AppLocaleUtil.canDisplayLocaleUi(mContextAsUser,
+                    packageManager.getApplicationInfo(mPackageName, 0),
+                    packageManager.queryIntentActivities(AppLocaleUtil.LAUNCHER_ENTRY_INTENT,
+                            PackageManager.GET_META_DATA));
+        } catch (PackageManager.NameNotFoundException e) {
+            Log.e(TAG, "Unable to find info for package: " + mPackageName);
+        }
+
+        return false;
+    }
 }