Backport Prevent shortcut info package name spoofing (623b2b60) · Commits · e / os / android_frameworks_base

services/core/java/com/android/server/pm/ShortcutService.java

+24 −0

Original line number	Diff line number	Diff line
		@@ -132,6 +132,7 @@ import java.nio.charset.StandardCharsets;
		import java.util.ArrayList;
		import java.util.Collections;
		import java.util.List;
		import java.util.Objects;
		import java.util.concurrent.atomic.AtomicBoolean;
		import java.util.function.Consumer;
		import java.util.function.Predicate;
		@@ -1573,6 +1574,24 @@ public class ShortcutService extends IShortcutService.Stub {
		"Ephemeral apps can't use ShortcutManager");
		}

		private void verifyShortcutInfoPackage(String callerPackage, ShortcutInfo si) {
		if (si == null) {
		return;
		}
		if (!Objects.equals(callerPackage, si.getPackage())) {
		android.util.EventLog.writeEvent(0x534e4554, "109824443", -1, "");
		throw new SecurityException("Shortcut package name mismatch");
		}
		}

		private void verifyShortcutInfoPackages(
		String callerPackage, List<ShortcutInfo> list) {
		final int size = list.size();
		for (int i = 0; i < size; i++) {
		verifyShortcutInfoPackage(callerPackage, list.get(i));
		}
		}

		// Overridden in unit tests to execute r synchronously.
		void injectPostToHandler(Runnable r) {
		mHandler.post(r);
		@@ -1720,6 +1739,7 @@ public class ShortcutService extends IShortcutService.Stub {
		verifyCaller(packageName, userId);

		final List<ShortcutInfo> newShortcuts = (List<ShortcutInfo>) shortcutInfoList.getList();
		verifyShortcutInfoPackages(packageName, newShortcuts);
		final int size = newShortcuts.size();

		final boolean unlimited = injectHasUnlimitedShortcutsApiCallsPermission(
		@@ -1774,6 +1794,7 @@ public class ShortcutService extends IShortcutService.Stub {
		verifyCaller(packageName, userId);

		final List<ShortcutInfo> newShortcuts = (List<ShortcutInfo>) shortcutInfoList.getList();
		verifyShortcutInfoPackages(packageName, newShortcuts);
		final int size = newShortcuts.size();

		final boolean unlimited = injectHasUnlimitedShortcutsApiCallsPermission(
		@@ -1859,6 +1880,7 @@ public class ShortcutService extends IShortcutService.Stub {
		verifyCaller(packageName, userId);

		final List<ShortcutInfo> newShortcuts = (List<ShortcutInfo>) shortcutInfoList.getList();
		verifyShortcutInfoPackages(packageName, newShortcuts);
		final int size = newShortcuts.size();

		final boolean unlimited = injectHasUnlimitedShortcutsApiCallsPermission(
		@@ -1921,6 +1943,7 @@ public class ShortcutService extends IShortcutService.Stub {
		Preconditions.checkNotNull(shortcut);
		Preconditions.checkArgument(shortcut.isEnabled(), "Shortcut must be enabled");
		verifyCaller(packageName, userId);
		verifyShortcutInfoPackage(packageName, shortcut);

		final Intent ret;
		synchronized (mLock) {
		@@ -1942,6 +1965,7 @@ public class ShortcutService extends IShortcutService.Stub {
		private boolean requestPinItem(String packageName, int userId, ShortcutInfo shortcut,
		AppWidgetProviderInfo appWidget, Bundle extras, IntentSender resultIntent) {
		verifyCaller(packageName, userId);
		verifyShortcutInfoPackage(packageName, shortcut);

		final boolean ret;
		synchronized (mLock) {