Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit e41e04bb authored by Pinyao Ting's avatar Pinyao Ting
Browse files

Security fixes for PendingIntent related apis in LauncherApps 

Allowing arbitrary activityOptions during the creation of PendingIntent
is a source of security vulnerability. This CL removes activityOptions
from the call-site.

Bug: 209607104
Test: manual
Change-Id: Id262b9a0de58d8834c85d925cf84bb44b8b99742
Merged-In: Id262b9a0de58d8834c85d925cf84bb44b8b99742
parent 6a0f27d5

core/java/android/content/pm/LauncherApps.java

+6 −4
Original line number Diff line number Diff line
@@ -739,7 +739,7 @@ public class LauncherApps { 
     * {@link #startMainActivity(ComponentName, UserHandle, Rect, Bundle)}.

     *

     * @param component The ComponentName of the activity to launch

     * @param startActivityOptions Options to pass to startActivity

     * @param startActivityOptions This parameter is no longer supported

     * @param user The UserHandle of the profile

     * @hide

     */
@@ -751,7 +751,8 @@ public class LauncherApps { 
            Log.i(TAG, "GetMainActivityLaunchIntent " + component + " " + user);

        }

        try {

            return mService.getActivityLaunchIntent(component, startActivityOptions, user);

            // due to b/209607104, startActivityOptions will be ignored

            return mService.getActivityLaunchIntent(component, null /* opts */, user);

        } catch (RemoteException re) {

            throw re.rethrowFromSystemServer();

        }
@@ -846,7 +847,7 @@ public class LauncherApps { 
     *

     * @param packageName The packageName of the shortcut

     * @param shortcutId The id of the shortcut

     * @param opts Options to pass to the PendingIntent

     * @param opts This parameter is no longer supported

     * @param user The UserHandle of the profile

     */

    @Nullable
@@ -858,8 +859,9 @@ public class LauncherApps { 
            Log.i(TAG, "GetShortcutIntent " + packageName + "/" + shortcutId + " " + user);

        }

        try {

            // due to b/209607104, opts will be ignored

            return mService.getShortcutIntent(

                    mContext.getPackageName(), packageName, shortcutId, opts, user);

                    mContext.getPackageName(), packageName, shortcutId, null /* opts */, user);

        } catch (RemoteException re) {

            throw re.rethrowFromSystemServer();

        }

services/core/java/com/android/server/pm/LauncherAppsService.java

+2 −2
Original line number Diff line number Diff line
@@ -815,7 +815,7 @@ public class LauncherAppsService extends SystemService { 
        PendingIntent injectCreatePendingIntent(int requestCode, @NonNull Intent[] intents,

                int flags, Bundle options, String ownerPackage, int ownerUserId) {

            return mActivityManagerInternal.getPendingIntentActivityAsApp(requestCode, intents,

                    flags, options, ownerPackage, ownerUserId);

                    flags, null /* options */, ownerPackage, ownerUserId);

        }



        @Override
@@ -1117,7 +1117,7 @@ public class LauncherAppsService extends SystemService { 
                // calling identity to mirror the startActivityAsUser() call which does not validate

                // the calling user

                return PendingIntent.getActivityAsUser(mContext, 0 /* requestCode */, launchIntent,

                        FLAG_IMMUTABLE, opts, user);

                        FLAG_IMMUTABLE, null /* options */, user);

            } finally {

                Binder.restoreCallingIdentity(ident);

            }