Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 1efd9a04 authored by Azhara Assanova's avatar Azhara Assanova
Browse files

Make mutable PendingIntent explicit 

Starting from target SDK U, we will block creation of mutable
PendingIntents with implicit Intents because attackers can mutate the
Intent object within and launch altered behavior on behalf of victim
apps. For more details on the vulnerability, see go/pendingintent-rca.

From a quick analysis, we concluded that the PendingIntent here was only
destined to the test app/to the app, so it was made explicit. Reviewers,
please call out if this is not the case.

Bug: 236704164
Bug: 229362273
Test: atest OverlayManagerPerfTest
Test: atest CtsPackageInstallTestCases
Test: atest NotificationManagerServiceTest
Change-Id: I56cc8c1852caffadae424e08d7719f58779bab11
parent 397065c0

apct-tests/perftests/utils/src/android/perftests/utils/TestPackageInstaller.java

+2 −2
Original line number Diff line number Diff line
@@ -133,9 +133,9 @@ public class TestPackageInstaller { 
            mContext.registerReceiver(this, filter,

                    Context.RECEIVER_EXPORTED_UNAUDITED);



            Intent intent = new Intent(action);

            Intent intent = new Intent(action).setPackage(mContext.getPackageName());

            PendingIntent pending = PendingIntent.getBroadcast(mContext, sessionId, intent,

                    PendingIntent.FLAG_UPDATE_CURRENT | PendingIntent.FLAG_MUTABLE_UNAUDITED);

                    PendingIntent.FLAG_UPDATE_CURRENT | PendingIntent.FLAG_MUTABLE);

            return pending.getIntentSender();

        }

packages/PackageInstaller/src/com/android/packageinstaller/wear/PackageInstallerImpl.java

+1 −1
Original line number Diff line number Diff line
@@ -268,7 +268,7 @@ public class PackageInstallerImpl { 
                Context.RECEIVER_EXPORTED);



        // Create a matching PendingIntent and use it to generate the IntentSender

        Intent broadcastIntent = new Intent(action);

        Intent broadcastIntent = new Intent(action).setPackage(mContext.getPackageName());

        PendingIntent pendingIntent = PendingIntent.getBroadcast(mContext, packageName.hashCode(),

                broadcastIntent, PendingIntent.FLAG_ONE_SHOT | PendingIntent.FLAG_UPDATE_CURRENT

                        | PendingIntent.FLAG_MUTABLE);

services/tests/uiservicestests/src/com/android/server/notification/NotificationManagerServiceTest.java

+4 −2
Original line number Diff line number Diff line
@@ -839,7 +839,8 @@ public class NotificationManagerServiceTest extends UiServiceTestCase { 
                .setName("bubblebot")

                .build();

        RemoteInput remoteInput = new RemoteInput.Builder("reply_key").setLabel("reply").build();

        PendingIntent inputIntent = PendingIntent.getActivity(mContext, 0, new Intent(),

        PendingIntent inputIntent = PendingIntent.getActivity(mContext, 0,

                new Intent().setPackage(mContext.getPackageName()),

                PendingIntent.FLAG_MUTABLE);

        Icon icon = Icon.createWithResource(mContext, android.R.drawable.sym_def_app_icon);

        Notification.Action replyAction = new Notification.Action.Builder(icon, "Reply",
@@ -9227,7 +9228,8 @@ public class NotificationManagerServiceTest extends UiServiceTestCase { 
        NotificationRecord r = generateNotificationRecord(mTestNotificationChannel);

        ArrayList<Notification.Action> extraAction = new ArrayList<>();

        RemoteInput remoteInput = new RemoteInput.Builder("reply_key").setLabel("reply").build();

        PendingIntent inputIntent = PendingIntent.getActivity(mContext, 0, new Intent(),

        PendingIntent inputIntent = PendingIntent.getActivity(mContext, 0,

                new Intent().setPackage(mContext.getPackageName()),

                PendingIntent.FLAG_MUTABLE);

        Icon icon = Icon.createWithResource(mContext, android.R.drawable.sym_def_app_icon);

        Notification.Action replyAction = new Notification.Action.Builder(icon, "Reply",