Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 841fb384 authored by Jason Chiu's avatar Jason Chiu
Browse files

Block the content scheme intent in AccountTypePreferenceLoader 

Bug: 366401629
Flag: EXEMPT security fix
Test: atest AccountTypePreferenceLoaderTest, manual
Change-Id: Ica87087341cc983df04190919e33dc369fa18619
parent c0a4fec1

src/com/android/settings/accounts/AccountTypePreferenceLoader.java

+14 −7
Original line number Diff line number Diff line
@@ -20,6 +20,7 @@ package com.android.settings.accounts; 
import android.accounts.Account;

import android.accounts.AuthenticatorDescription;

import android.content.ClipData;

import android.content.ContentResolver;

import android.content.Context;

import android.content.Intent;

import android.content.pm.ActivityInfo;
@@ -242,13 +243,19 @@ public class AccountTypePreferenceLoader { 
    }



    /**

     * Determines if the supplied Intent is safe. A safe intent is one that is

     * will launch a exported=true activity or owned by the same uid as the

     * Determines if the supplied Intent is safe. A safe intent is one that

     * will launch an exported=true activity or owned by the same uid as the

     * authenticator supplying the intent.

     */

    private boolean isSafeIntent(PackageManager pm, Intent intent, String acccountType) {

    @VisibleForTesting

    boolean isSafeIntent(PackageManager pm, Intent intent, String accountType) {

        if (TextUtils.equals(intent.getScheme(), ContentResolver.SCHEME_CONTENT)) {

            Log.e(TAG, "Intent with a content scheme is unsafe.");

            return false;

        }



        AuthenticatorDescription authDesc =

            mAuthenticatorHelper.getAccountTypeDescription(acccountType);

                mAuthenticatorHelper.getAccountTypeDescription(accountType);

        ResolveInfo resolveInfo = pm.resolveActivityAsUser(intent, 0, mUserHandle.getIdentifier());

        if (resolveInfo == null) {

            return false;

tests/robotests/src/com/android/settings/accounts/AccountTypePreferenceLoaderTest.java

+12 −0
Original line number Diff line number Diff line
@@ -30,8 +30,11 @@ import static org.mockito.Mockito.when; 
import android.accounts.Account;

import android.accounts.AccountManager;

import android.accounts.AuthenticatorDescription;

import android.content.ClipData;

import android.content.Context;

import android.content.Intent;

import android.content.pm.PackageManager;

import android.net.Uri;

import android.os.UserHandle;



import androidx.collection.ArraySet;
@@ -250,4 +253,13 @@ public class AccountTypePreferenceLoaderTest { 
        mPrefLoader.filterBlockedFragments(parent, Set.of("nomatch", "other"));

        verify(pref).setOnPreferenceClickListener(any());

    }



    @Test

    public void isSafeIntent_hasContextScheme_returnFalse() {

        Intent intent = new Intent();

        intent.setClipData(ClipData.newRawUri(null,

                Uri.parse("content://com.android.settings.files/my_cache/NOTICE.html")));



        assertThat(mPrefLoader.isSafeIntent(mPackageManager, intent, mAccount.type)).isFalse();

    }

}