Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Skip to content
Commit 770be266 authored by akirilov's avatar akirilov Committed by Kevin Haggerty
Browse files

RESTRICT AUTOMERGE: Trust session id only if started with ACTION_CONFIRM_INSTALL

InstallStart was reading sessionInfo whenever the starting intent had
the extra EXTRA_SESSION_ID. This could happen even if an external app
inserted a valid session id into its own REQUEST_INSTALL_PACKAGE intent.
This allows apps to potentially spoof the calling package.

Test: Existing tests pass:
atest GtsPackageInstallTestCases GtsNoPermissionTestCases \
GtsNoPermissionTestCases25

Bug: 112031362
Change-Id: Icdab1deeaf6b0afe7a61709cd87305336c467e33
(cherry picked from commit 10b0b0dc)
parent 4fb92827
Loading
Loading
Loading
Loading
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment