Gitiles
Code Review Sign In
gerrit.omnirom.org / android_packages_apps_Settings / 07ab95c43e49facb0fc4dd11d68645b4fe8d4c88^! / .
commit07ab95c43e49facb0fc4dd11d68645b4fe8d4c88[log] [tgz]
authorFyodor Kupolov <fkupolov@google.com>Tue Nov 18 15:08:12 2014 -0800
committerFyodor Kupolov <fkupolov@google.com>Tue Nov 18 17:12:54 2014 -0800
tree1101c987d2696fb39d991f5c8ea7205c9e7d846c
parentc88cdea2bb6f830abb8f1fe3b422368d3275f88c [diff]
Added a check if a custom activity can be started

AppRestrictionsFragment starts an activity using an intent provided by the
receiver. A check was added to prevent an app from starting an activity that
it does not own.

Bug: 14441412
Change-Id: Ia6820b1daf3783d605b92976c78cb522b17dc8f2

diff --git a/src/com/android/settings/users/AppRestrictionsFragment.java b/src/com/android/settings/users/AppRestrictionsFragment.java
index 6fa5a79..38cdc42 100644
--- a/src/com/android/settings/users/AppRestrictionsFragment.java
+++ b/src/com/android/settings/users/AppRestrictionsFragment.java

@@ -23,6 +23,7 @@
 import android.content.Intent;
 import android.content.IntentFilter;
 import android.content.RestrictionEntry;
+import android.content.pm.ActivityInfo;
 import android.content.pm.ApplicationInfo;
 import android.content.pm.IPackageManager;
 import android.content.pm.PackageInfo;
@@ -905,6 +906,7 @@
             } else if (restrictionsIntent != null) {
                 preference.setRestrictions(restrictions);
                 if (invokeIfCustom && AppRestrictionsFragment.this.isResumed()) {
+                    assertSafeToStartCustomActivity(restrictionsIntent);
                     int requestCode = generateCustomActivityRequestCode(
                             RestrictionsResultReceiver.this.preference);
                     AppRestrictionsFragment.this.startActivityForResult(
@@ -912,6 +914,25 @@
                 }
             }
         }
+
+        private void assertSafeToStartCustomActivity(Intent intent) {
+            // Activity can be started if it belongs to the same app
+            if (intent.getPackage() != null && intent.getPackage().equals(packageName)) {
+                return;
+            }
+            // Activity can be started if intent resolves to multiple activities
+            List<ResolveInfo> resolveInfos = AppRestrictionsFragment.this.mPackageManager
+                    .queryIntentActivities(intent, 0 /* no flags */);
+            if (resolveInfos.size() != 1) {
+                return;
+            }
+            // Prevent potential privilege escalation
+            ActivityInfo activityInfo = resolveInfos.get(0).activityInfo;
+            if (!packageName.equals(activityInfo.packageName)) {
+                throw new SecurityException("Application " + packageName
+                        + " is not allowed to start activity " + intent);
+            };
+        }
     }
 
     private void onRestrictionsReceived(AppRestrictionsPreference preference, String packageName,