Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 78ce5e8c authored by Andres Morales's avatar Andres Morales
Browse files

Prevent newlines and long captions selecting default payment app 

This would allow attackers to spoof the default selection
dialog causing the user to unkowingly change their default
payment handler.

Bug: 15906632
Change-Id: I49ad2a7351bd6d2c1f9a79ad9be0cbc9787ca6c3
parent f34c3501

src/com/android/settings/nfc/PaymentDefaultDialog.java

+17 −3
Original line number Diff line number Diff line
@@ -34,6 +34,7 @@ public final class PaymentDefaultDialog extends AlertActivity implements 
        DialogInterface.OnClickListener {



    public static final String TAG = "PaymentDefaultDialog";

    private static final int PAYMENT_APP_MAX_CAPTION_LENGTH = 40;



    private PaymentBackend mBackend;

    private ComponentName mNewDefault;
@@ -109,12 +110,14 @@ public final class PaymentDefaultDialog extends AlertActivity implements 
        p.mTitle = getString(R.string.nfc_payment_set_default_label);

        if (defaultPaymentApp == null) {

            String formatString = getString(R.string.nfc_payment_set_default);

            String msg = String.format(formatString, requestedPaymentApp.caption);

            String msg = String.format(formatString,

                    sanitizePaymentAppCaption(requestedPaymentApp.caption.toString()));

            p.mMessage = msg;

        } else {

            String formatString = getString(R.string.nfc_payment_set_default_instead_of);

            String msg = String.format(formatString, requestedPaymentApp.caption,

                    defaultPaymentApp.caption);

            String msg = String.format(formatString,

                    sanitizePaymentAppCaption(requestedPaymentApp.caption.toString()),

                    sanitizePaymentAppCaption(defaultPaymentApp.caption.toString()));

            p.mMessage = msg;

        }

        p.mPositiveButtonText = getString(R.string.yes);
@@ -126,4 +129,15 @@ public final class PaymentDefaultDialog extends AlertActivity implements 
        return true;

    }



    private String sanitizePaymentAppCaption(String input) {

        String sanitizedString = input.replace('\n', ' ').replace('\r', ' ').trim();





        if (sanitizedString.length() > PAYMENT_APP_MAX_CAPTION_LENGTH) {

            return sanitizedString.substring(0, PAYMENT_APP_MAX_CAPTION_LENGTH);

        }



        return sanitizedString;

    }



}