Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit c3ea2d31 authored by Pinyao Ting's avatar Pinyao Ting Committed by Android Build Coastguard Worker
Browse files

Security fixes for PendingIntent related apis in LauncherApps 

Allowing arbitrary activityOptions during the creation of PendingIntent
is a source of security vulnerability. This CL removes activityOptions
from the call-site.

Bug: 209607104
Test: manual
Change-Id: Id262b9a0de58d8834c85d925cf84bb44b8b99742
Merged-In: Id262b9a0de58d8834c85d925cf84bb44b8b99742
(cherry picked from commit e41e04bb)
Merged-In:Id262b9a0de58d8834c85d925cf84bb44b8b99742
parent e74a2a32

core/java/android/content/pm/LauncherApps.java

+6 −4
Original line number Diff line number Diff line
@@ -739,7 +739,7 @@ public class LauncherApps { 
     * {@link #startMainActivity(ComponentName, UserHandle, Rect, Bundle)}.

     *

     * @param component The ComponentName of the activity to launch

     * @param startActivityOptions Options to pass to startActivity

     * @param startActivityOptions This parameter is no longer supported

     * @param user The UserHandle of the profile

     * @hide

     */
@@ -751,7 +751,8 @@ public class LauncherApps { 
            Log.i(TAG, "GetMainActivityLaunchIntent " + component + " " + user);

        }

        try {

            return mService.getActivityLaunchIntent(component, startActivityOptions, user);

            // due to b/209607104, startActivityOptions will be ignored

            return mService.getActivityLaunchIntent(component, null /* opts */, user);

        } catch (RemoteException re) {

            throw re.rethrowFromSystemServer();

        }
@@ -846,7 +847,7 @@ public class LauncherApps { 
     *

     * @param packageName The packageName of the shortcut

     * @param shortcutId The id of the shortcut

     * @param opts Options to pass to the PendingIntent

     * @param opts This parameter is no longer supported

     * @param user The UserHandle of the profile

     */

    @Nullable
@@ -858,8 +859,9 @@ public class LauncherApps { 
            Log.i(TAG, "GetShortcutIntent " + packageName + "/" + shortcutId + " " + user);

        }

        try {

            // due to b/209607104, opts will be ignored

            return mService.getShortcutIntent(

                    mContext.getPackageName(), packageName, shortcutId, opts, user);

                    mContext.getPackageName(), packageName, shortcutId, null /* opts */, user);

        } catch (RemoteException re) {

            throw re.rethrowFromSystemServer();

        }

services/core/java/com/android/server/pm/LauncherAppsService.java

+2 −2
Original line number Diff line number Diff line
@@ -815,7 +815,7 @@ public class LauncherAppsService extends SystemService { 
        PendingIntent injectCreatePendingIntent(int requestCode, @NonNull Intent[] intents,

                int flags, Bundle options, String ownerPackage, int ownerUserId) {

            return mActivityManagerInternal.getPendingIntentActivityAsApp(requestCode, intents,

                    flags, options, ownerPackage, ownerUserId);

                    flags, null /* options */, ownerPackage, ownerUserId);

        }



        @Override
@@ -1117,7 +1117,7 @@ public class LauncherAppsService extends SystemService { 
                // calling identity to mirror the startActivityAsUser() call which does not validate

                // the calling user

                return PendingIntent.getActivityAsUser(mContext, 0 /* requestCode */, launchIntent,

                        FLAG_IMMUTABLE, opts, user);

                        FLAG_IMMUTABLE, null /* options */, user);

            } finally {

                Binder.restoreCallingIdentity(ident);

            }