Enforce same package name when connecting to widget service Bug: 361181621 Flag: android.appwidget.flags.remote_adapter_conversion Test: Manually verified Change-Id: I0aac4877638136291d8c7053632d60f1bcccd280

commit: 3228124ade4355714b1263262506c8f23ec8d07f [log] [tgz]
author: Sihua Ma <sihua@google.com> Tue Nov 19 20:18:09 2024 +0000
committer: Sihua Ma <sihua@google.com> Tue Nov 19 22:06:16 2024 +0000
tree: b585bf80a693715bb22b8137c7651cf3f9e0f137
parent: 152b4dd204211f7b1889b0b32928f92be0ff9a2a [diff]
diff --git a/core/java/android/widget/RemoteViews.java b/core/java/android/widget/RemoteViews.java
index 9b6311f..5dce7c6 100644
--- a/core/java/android/widget/RemoteViews.java
+++ b/core/java/android/widget/RemoteViews.java

@@ -1559,6 +1559,16 @@
             final Context context = ActivityThread.currentApplication();
 
             final CompletableFuture<RemoteCollectionItems> result = new CompletableFuture<>();
+            String contextPackageName = context.getPackageName();
+            ComponentName intentComponent = intent.getComponent();
+            if (contextPackageName != null
+                    && intentComponent != null
+                    && (!contextPackageName.equals(intentComponent.getPackageName()))) {
+                // We shouldn't allow for connections to other packages
+                result.complete(new RemoteCollectionItems.Builder().build());
+                return result;
+            }
+
             context.bindService(intent, Context.BindServiceFlags.of(Context.BIND_AUTO_CREATE),
                     result.defaultExecutor(), new ServiceConnection() {
                         @Override
commit	3228124ade4355714b1263262506c8f23ec8d07f	[log] [tgz]
author	Sihua Ma <sihua@google.com>	Tue Nov 19 20:18:09 2024 +0000
committer	Sihua Ma <sihua@google.com>	Tue Nov 19 22:06:16 2024 +0000
tree	b585bf80a693715bb22b8137c7651cf3f9e0f137
parent	152b4dd204211f7b1889b0b32928f92be0ff9a2a [diff]