Fix vulnerability by explicitly set the class name of avatar picker.

    <!-- Control whether status bar should distinguish HSPA data icon form UMTS

    data icon on devices -->

    <bool name="config_hspa_data_distinguishable">false</bool>

    <!-- Edit User avatar explicit package name -->

    <string name="config_avatar_picker_package" translatable="false">

        com.android.avatarpicker

    </string>

    <!-- Edit User avatar explicit activity class -->

    <string name="config_avatar_picker_class" translatable="false">

        com.android.avatarpicker.ui.AvatarPickerActivity

    </string>

</resources>

 No newline at end of file

import com.android.internal.util.UserIcons;

import com.android.settingslib.drawable.CircleFramedDrawable;

import com.android.settingslib.R;

import com.android.settingslib.utils.ThreadUtils;

import com.google.common.util.concurrent.FutureCallback;

        intent.addCategory(Intent.CATEGORY_DEFAULT);

        if (Flags.avatarSync()) {

            intent.putExtra(EXTRA_IS_USER_NEW, isUserNew);

            // Fix vulnerability b/341688848 by explicitly set the class name of avatar picker.

            if (Flags.fixAvatarCrossUserLeak()) {

                final String packageName =

                        mActivity.getString(R.string.config_avatar_picker_package);

                final String className = mActivity.getString(R.string.config_avatar_picker_class);

                intent.setClassName(packageName, className);

            }

        } else {

            // SettingsLib is used by multiple apps therefore we need to know out of all apps

            // using settingsLib which one is the one we return value to.