Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit bf8ff047 authored by William Leshner's avatar William Leshner
Browse files

Fix vulnerability that allowed attackers to start arbitary activities 

Test: Flashed device and verified dream settings works as expected
Test: Installed APK from bug and verified the dream didn't allow
launching the inappropriate settings activity.
Fixes: 300090204

Change-Id: I146415ad400827d0a798e27f34f098feb5e96422
Merged-In: I6e90e3a0d513dceb7d7f5c59d6807ebe164c5716
parent 5e5e9db2

core/java/android/service/dreams/DreamService.java

+11 −2
Original line number Diff line number Diff line
@@ -1192,8 +1192,17 @@ public class DreamService extends Service implements Window.Callback { 
        if (!flattenedString.contains("/")) {

            return new ComponentName(serviceInfo.packageName, flattenedString);

        }



        return ComponentName.unflattenFromString(flattenedString);

        // Ensure that the component is from the same package as the dream service. If not,

        // treat the component as invalid and return null instead.

        final ComponentName cn = ComponentName.unflattenFromString(flattenedString);

        if (cn == null) return null;

        if (!cn.getPackageName().equals(serviceInfo.packageName)) {

            Log.w(TAG,

                    "Inconsistent package name in component: " + cn.getPackageName()

                            + ", should be: " + serviceInfo.packageName);

            return null;

        }

        return cn;

    }



    /**