This project is mirrored from https://github.com/LineageOS/android_packages_apps_Settings.git. Pull mirroring updated .
  1. 10 Aug, 2021 1 commit
  2. 04 Aug, 2021 1 commit
  3. 18 Jul, 2021 1 commit
  4. 09 Jul, 2021 1 commit
  5. 17 Jun, 2021 1 commit
  6. 11 Jun, 2021 3 commits
    • Android Build Coastguard Worker's avatar
      Merge cherrypicks of [14947012, 14947430, 14947171, 14947470, 14947471,... · a76c9f4c
      Android Build Coastguard Worker authored
      Merge cherrypicks of [14947012, 14947430, 14947171, 14947470, 14947471, 14947013, 14947490] into security-aosp-pi-release
      
      Change-Id: I409d5f8d7e7edf40ca5291d8c017540b7fdcd485
      a76c9f4c
    • Hugh Chen's avatar
      RESTRICT AUTOMERGE Fix unable to send file via OPP · 12117ce5
      Hugh Chen authored
      Bluetooth app will indicate BluetoothOppReceiver to receive
      device picker intent. But for fix the security issue we
      removed the setClassName() method in ag/14111132 to avoid attack.
      It causes BluetoothOppReceiver cannot receive the intent.
      
      This CL will compare to calling package name with launch package name.
      If they are not equal, the setClassName() will not invoke.
      
      Bug: 186490534
      Bug: 179386960
      Bug: 179386068
      
      Test: make RunSettingsRoboTests -j56
      Change-Id: Ia51528f2a44ab73edbc86899ca0846d3262fe1f0
      (cherry picked from commit bb5be240c0982f2e098978fec187fc735c0e7ad9)
      (cherry picked from commit f727d5cf2ab9a88857c2d412f84f496ea4311f9b)
      12117ce5
    • Hugh Chen's avatar
      RESTRICT AUTOMERGE Fix bluetooth settings will broadcast to anywhere when some cases · a01db8fd
      Hugh Chen authored
      BluetoothPermissionActivity and DevicePickerFragment will send
      broadcast to return the result to calling apps. As this broadcast
      intent is from Settings with uid 1000, it will be sent to any
      protected BroadcastReceivers in the device. It can make an attacker
      send broadcast to protected BroadcastReceivers like factory reset intent
      (android/com.android.server.MasterClearReceiver) via
      BluetoothPermissionActivity or DevicePickerFragment.
      
      This CL will not allow to set package name and class name to avoid
      the attacker.
      
      Bug: 179386960
      Bug: 179386068
      Test: make -j42 RunSettingsRoboTests and use test apk to manually test
      to verify factory reset not started and no system UI notification.
      
      Change-Id: Id27a78091ab578077853b8fbb97a4422cff0a158
      (cherry picked from commit 8adedc62496cf8cf6ecfc6ccf23b0b248081d7d4)
      (cherry picked from commit 093ac45cd840162f9359ed158a86a230279d17ba)
      a01db8fd
  7. 10 Jun, 2021 1 commit
  8. 04 Jun, 2021 2 commits
  9. 14 May, 2021 1 commit
    • Tsung-Mao Fang's avatar
      Prevent HTML Injection on the Device Admin request screen · 6e78aae9
      Tsung-Mao Fang authored
      The root issue is that CharSequence is an interface.
      String implements that interface, however, Spanned class
      too which is a rich text format that can store HTML code.
      
      The solution is enforce to use String type which won't include
      any HTML function.
      
      Test: Rebuilt apk and see the string without HTML style.
      Bug: 179042963
      Change-Id: I53b460b12da918e022d2f2934f114d205dbaadb0
      Merged-In: I53b460b12da918e022d2f2934f114d205dbaadb0
      (cherry picked from commit 80c3f6d4d84f822d1c3f41e6cb55fc05130e2b17)
      6e78aae9
  10. 10 May, 2021 1 commit
  11. 05 May, 2021 1 commit
  12. 13 Apr, 2021 1 commit
  13. 08 Apr, 2021 2 commits
    • android-build-team Robot's avatar
      Merge cherrypicks of [14126781, 14126782, 14127202, 14128466, 14127516,... · 320ff004
      android-build-team Robot authored
      Merge cherrypicks of [14126781, 14126782, 14127202, 14128466, 14127516, 14128057, 14127204, 14128747, 14128708, 14128059, 14128686, 14128127, 14128507, 14128809, 14128810, 14128811, 14128812] into security-aosp-pi-release
      
      Change-Id: I40a76fb1045e81d2e9378e180f33d5c18d74038f
      320ff004
    • Arc Wang's avatar
      Hide non-system overlay window on ActivityPicker · 2bf3ac56
      Arc Wang authored
      To improve security.
      
      Bug: 181962311
      Test: manual
            Show an AlertDialog and observe if it will hide after below command.
            adb shell am start -a android.intent.action.PICK_ACTIVITY -n com.android.settings/.ActivityPicker
      Change-Id: I43bb0f47a96719c61c5beb4ddf486b14cbdd6ee8
      Merged-In: I6e2845cc19dc012cba2933318a067bbb8db90a23
      (cherry picked from commit 636e70fb)
      2bf3ac56
  14. 07 Apr, 2021 1 commit
  15. 02 Apr, 2021 2 commits
  16. 13 Mar, 2021 1 commit
    • Andras Kloczl's avatar
      Prevent using invalid result uri during multi user image change · 188ade07
      Andras Kloczl authored
      Test: manual
      Bug: 172939189
      Change-Id: I258c305f825da94474c8027828e3b9707b463699
      Merged-In: I258c305f825da94474c8027828e3b9707b463699
      Merged-In: I3e6f6200e82e86d6a2085652906ad2d0d44814f5
      Merged-In: Id2e598878b3250e8b3590905c6def561e2437d55
      Merged-In: I15e15ad88b768a5b679de32c5429d921d850a3cb
      (cherry picked from commit 9c0024f4)
      188ade07
  17. 10 Mar, 2021 2 commits
  18. 24 Feb, 2021 2 commits
  19. 19 Feb, 2021 3 commits
  20. 10 Feb, 2021 1 commit
  21. 07 Feb, 2021 2 commits
  22. 05 Feb, 2021 3 commits
    • Hugh Chen's avatar
      RESTRICT AUTOMERGE Update String · b158f9d6
      Hugh Chen authored
      Remove brackets.
      
      Bug: 176106404
      Bug: 167403112
      Test: build pass
      Change-Id: Ib9a3c4fa3c6ea1ca54244d672bdc3e12d51a719f
      (cherry picked from commit ccbe74f5)
      b158f9d6
    • Hugh Chen's avatar
      RESTRICT AUTOMERGE Fix phishing attacks over Bluetooth due to unclear warning message · 2aeb5295
      Hugh Chen authored
      Before this CL, there is a possible phishing attack allowing a malicious
      BT device to acquire permissions based on insufficient information
      presented to the user in the consent dialog. This could lead to local
      escalation of privilege with no additional execution privileges needed.
      User interaction is needed for exploitation.
      
      This CL add more prompts presented for users to avoid phishing attacks.
      
      Merge Conflict Notes:
      There were a number of entries in strings.xml that did not exist on this
      branch. However, as the CL only adds new entries rather than modifying
      old ones this should not cause a problem. There were no merge conflicts
      in the java files.
      
      Bug: 167403112
      Test: send intent to test right prompts message is pop up. make -j42 RunSettingsRoboTests
      Change-Id: Idc6ef558b692115bb82ea58cf223f5919b618633
      (cherry picked from commit 01a50db6)
      2aeb5295
    • Romain Hunault's avatar
      Use the new GitLab CI template · 60d12ead
      Romain Hunault authored
      60d12ead
  23. 02 Feb, 2021 1 commit
  24. 28 Jan, 2021 1 commit
  25. 16 Jan, 2021 2 commits
  26. 16 Dec, 2020 2 commits