Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 10b0b0dc authored by akirilov's avatar akirilov
Browse files

RESTRICT AUTOMERGE: Trust session id only if started with ACTION_CONFIRM_INSTALL 

InstallStart was reading sessionInfo whenever the starting intent had
the extra EXTRA_SESSION_ID. This could happen even if an external app
inserted a valid session id into its own REQUEST_INSTALL_PACKAGE intent.
This allows apps to potentially spoof the calling package.

Test: Existing tests pass:
atest GtsPackageInstallTestCases GtsNoPermissionTestCases \
GtsNoPermissionTestCases25

Bug: 112031362
Change-Id: Icdab1deeaf6b0afe7a61709cd87305336c467e33
parent de433776

src/com/android/packageinstaller/InstallStart.java

+7 −2
Original line number Diff line number Diff line
@@ -55,9 +55,14 @@ public class InstallStart extends Activity { 
        Intent intent = getIntent();

        String callingPackage = getCallingPackage();



        final boolean isSessionInstall =

                PackageInstaller.ACTION_CONFIRM_PERMISSIONS.equals(intent.getAction());



        // If the activity was started via a PackageInstaller session, we retrieve the calling

        // package from that session

        int sessionId = intent.getIntExtra(PackageInstaller.EXTRA_SESSION_ID, -1);

        final int sessionId = (isSessionInstall

                ? intent.getIntExtra(PackageInstaller.EXTRA_SESSION_ID, -1)

                : -1);

        if (callingPackage == null && sessionId != -1) {

            PackageInstaller packageInstaller = getPackageManager().getPackageInstaller();

            PackageInstaller.SessionInfo sessionInfo = packageInstaller.getSessionInfo(sessionId);
@@ -100,7 +105,7 @@ public class InstallStart extends Activity { 
        nextActivity.putExtra(PackageInstallerActivity.EXTRA_ORIGINAL_SOURCE_INFO, sourceInfo);

        nextActivity.putExtra(Intent.EXTRA_ORIGINATING_UID, originatingUid);



        if (PackageInstaller.ACTION_CONFIRM_PERMISSIONS.equals(intent.getAction())) {

        if (isSessionInstall) {

            nextActivity.setClass(this, PackageInstallerActivity.class);

        } else {

            Uri packageUri = intent.getData();