Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 4cc920eb authored by Will Leshner's avatar Will Leshner Committed by Android Build Coastguard Worker
Browse files

Fix vulnerability that allowed attackers to start arbitary activities 

Test: Flashed device and verified dream settings works as expected
Test: Installed APK from bug and verified the dream didn't allow
launching the inappropriate settings activity.
Fixes: 300090204
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:6926fd15fb16c51468dde270bd61ee68772b8c14)
Merged-In: I573040df84bf98a493b39f96c8581e4303206bac
Change-Id: I573040df84bf98a493b39f96c8581e4303206bac
parent 2f5bb9c5

packages/SettingsLib/src/com/android/settingslib/dream/DreamBackend.java

+11 −1
Original line number Original line Diff line number Diff line
@@ -351,7 +351,17 @@ public class DreamBackend { 
        if (cn != null && cn.indexOf('/') < 0) {

        if (cn != null && cn.indexOf('/') < 0) {

            cn = resolveInfo.serviceInfo.packageName + "/" + cn;

            cn = resolveInfo.serviceInfo.packageName + "/" + cn;

        }

        }

        return cn == null ? null : ComponentName.unflattenFromString(cn);

        // Ensure that the component is from the same package as the dream service. If not,

        // treat the component as invalid and return null instead.

        final ComponentName result = cn != null ? ComponentName.unflattenFromString(cn) : null;

        if (result != null

                && !result.getPackageName().equals(resolveInfo.serviceInfo.packageName)) {

            Log.w(TAG,

                    "Inconsistent package name in component: " + result.getPackageName()

                            + ", should be: " + resolveInfo.serviceInfo.packageName);

            return null;

        }

        return result;

    }

    }





    private static void logd(String msg, Object... args) {

    private static void logd(String msg, Object... args) {