Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 1175720b authored by William Leshner's avatar William Leshner Committed by Android Build Coastguard Worker
Browse files

Fix vulnerability that allowed attackers to start arbitary activities 

Test: Flashed device and verified dream settings works as expected
Test: Installed APK from bug and verified the dream didn't allow
launching the inappropriate settings activity.
Fixes: 300090204
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:bf8ff047eb25960720a688cb16aa44b3775799da)
Merged-In: I146415ad400827d0a798e27f34f098feb5e96422
Change-Id: I146415ad400827d0a798e27f34f098feb5e96422
parent 3fdf9549

core/java/android/service/dreams/DreamService.java

+11 −2
Original line number Diff line number Diff line
@@ -1192,8 +1192,17 @@ public class DreamService extends Service implements Window.Callback { 
        if (!flattenedString.contains("/")) {

            return new ComponentName(serviceInfo.packageName, flattenedString);

        }



        return ComponentName.unflattenFromString(flattenedString);

        // Ensure that the component is from the same package as the dream service. If not,

        // treat the component as invalid and return null instead.

        final ComponentName cn = ComponentName.unflattenFromString(flattenedString);

        if (cn == null) return null;

        if (!cn.getPackageName().equals(serviceInfo.packageName)) {

            Log.w(TAG,

                    "Inconsistent package name in component: " + cn.getPackageName()

                            + ", should be: " + serviceInfo.packageName);

            return null;

        }

        return cn;

    }



    /**