Loading services/core/java/com/android/server/accounts/AccountManagerService.java +25 −11 Original line number Diff line number Diff line Loading @@ -2954,9 +2954,13 @@ public class AccountManagerService * have users launching arbitrary activities by tricking users to * interact with malicious notifications. */ checkKeyIntent( if (!checkKeyIntent( Binder.getCallingUid(), intent); intent)) { onError(AccountManager.ERROR_CODE_INVALID_RESPONSE, "invalid intent in bundle returned"); return; } doNotification( mAccounts, account, Loading Loading @@ -3351,9 +3355,13 @@ public class AccountManagerService Intent intent = null; if (result != null && (intent = result.getParcelable(AccountManager.KEY_INTENT)) != null) { checkKeyIntent( if (!checkKeyIntent( Binder.getCallingUid(), intent); intent)) { onError(AccountManager.ERROR_CODE_INVALID_RESPONSE, "invalid intent in bundle returned"); return; } } IAccountManagerResponse response; if (mExpectActivityLaunch && result != null Loading Loading @@ -4700,13 +4708,14 @@ public class AccountManagerService * into launching arbitrary intents on the device via by tricking to click authenticator * supplied entries in the system Settings app. */ protected void checkKeyIntent( int authUid, Intent intent) throws SecurityException { protected boolean checkKeyIntent(int authUid, Intent intent) { long bid = Binder.clearCallingIdentity(); try { PackageManager pm = mContext.getPackageManager(); ResolveInfo resolveInfo = pm.resolveActivityAsUser(intent, 0, mAccounts.userId); if (resolveInfo == null) { return false; } ActivityInfo targetActivityInfo = resolveInfo.activityInfo; int targetUid = targetActivityInfo.applicationInfo.uid; if (!isExportedSystemActivity(targetActivityInfo) Loading @@ -4716,9 +4725,10 @@ public class AccountManagerService String activityName = targetActivityInfo.name; String tmpl = "KEY_INTENT resolved to an Activity (%s) in a package (%s) that " + "does not share a signature with the supplying authenticator (%s)."; throw new SecurityException( String.format(tmpl, activityName, pkgName, mAccountType)); Log.e(TAG, String.format(tmpl, activityName, pkgName, mAccountType)); return false; } return true; } finally { Binder.restoreCallingIdentity(bid); } Loading Loading @@ -4868,9 +4878,13 @@ public class AccountManagerService } if (result != null && (intent = result.getParcelable(AccountManager.KEY_INTENT)) != null) { checkKeyIntent( if (!checkKeyIntent( Binder.getCallingUid(), intent); intent)) { onError(AccountManager.ERROR_CODE_INVALID_RESPONSE, "invalid intent in bundle returned"); return; } } if (result != null && !TextUtils.isEmpty(result.getString(AccountManager.KEY_AUTHTOKEN))) { Loading Loading
services/core/java/com/android/server/accounts/AccountManagerService.java +25 −11 Original line number Diff line number Diff line Loading @@ -2954,9 +2954,13 @@ public class AccountManagerService * have users launching arbitrary activities by tricking users to * interact with malicious notifications. */ checkKeyIntent( if (!checkKeyIntent( Binder.getCallingUid(), intent); intent)) { onError(AccountManager.ERROR_CODE_INVALID_RESPONSE, "invalid intent in bundle returned"); return; } doNotification( mAccounts, account, Loading Loading @@ -3351,9 +3355,13 @@ public class AccountManagerService Intent intent = null; if (result != null && (intent = result.getParcelable(AccountManager.KEY_INTENT)) != null) { checkKeyIntent( if (!checkKeyIntent( Binder.getCallingUid(), intent); intent)) { onError(AccountManager.ERROR_CODE_INVALID_RESPONSE, "invalid intent in bundle returned"); return; } } IAccountManagerResponse response; if (mExpectActivityLaunch && result != null Loading Loading @@ -4700,13 +4708,14 @@ public class AccountManagerService * into launching arbitrary intents on the device via by tricking to click authenticator * supplied entries in the system Settings app. */ protected void checkKeyIntent( int authUid, Intent intent) throws SecurityException { protected boolean checkKeyIntent(int authUid, Intent intent) { long bid = Binder.clearCallingIdentity(); try { PackageManager pm = mContext.getPackageManager(); ResolveInfo resolveInfo = pm.resolveActivityAsUser(intent, 0, mAccounts.userId); if (resolveInfo == null) { return false; } ActivityInfo targetActivityInfo = resolveInfo.activityInfo; int targetUid = targetActivityInfo.applicationInfo.uid; if (!isExportedSystemActivity(targetActivityInfo) Loading @@ -4716,9 +4725,10 @@ public class AccountManagerService String activityName = targetActivityInfo.name; String tmpl = "KEY_INTENT resolved to an Activity (%s) in a package (%s) that " + "does not share a signature with the supplying authenticator (%s)."; throw new SecurityException( String.format(tmpl, activityName, pkgName, mAccountType)); Log.e(TAG, String.format(tmpl, activityName, pkgName, mAccountType)); return false; } return true; } finally { Binder.restoreCallingIdentity(bid); } Loading Loading @@ -4868,9 +4878,13 @@ public class AccountManagerService } if (result != null && (intent = result.getParcelable(AccountManager.KEY_INTENT)) != null) { checkKeyIntent( if (!checkKeyIntent( Binder.getCallingUid(), intent); intent)) { onError(AccountManager.ERROR_CODE_INVALID_RESPONSE, "invalid intent in bundle returned"); return; } } if (result != null && !TextUtils.isEmpty(result.getString(AccountManager.KEY_AUTHTOKEN))) { Loading
