Fix app name label spoofing
Fix idea was copied from
frameworks/base/core/java/android/accounts/ChooseAccountActivity.java
Bug: 183710549
Test: verified with POC app from bug that the fix is working
Change-Id: I40131965ed0d1e11cdf4b56daef39a95b80fdd7d
diff --git a/src/com/android/settings/bluetooth/RequestPermissionActivity.java b/src/com/android/settings/bluetooth/RequestPermissionActivity.java
index 4446fb6..362849d 100644
--- a/src/com/android/settings/bluetooth/RequestPermissionActivity.java
+++ b/src/com/android/settings/bluetooth/RequestPermissionActivity.java
@@ -29,6 +29,8 @@
import android.content.pm.PackageItemInfo;
import android.content.pm.PackageManager;
import android.os.Bundle;
+import android.os.Process;
+import android.os.UserHandle;
import android.text.TextUtils;
import android.util.Log;
@@ -315,16 +317,26 @@
}
} else {
Log.e(TAG, "Error: this activity may be started only with intent "
- + BluetoothAdapter.ACTION_REQUEST_ENABLE + " or "
+ + BluetoothAdapter.ACTION_REQUEST_ENABLE + ", "
+ + BluetoothAdapter.ACTION_REQUEST_DISABLE + " or "
+ BluetoothAdapter.ACTION_REQUEST_DISCOVERABLE);
setResult(RESULT_CANCELED);
return true;
}
- String packageName = getCallingPackage();
- if (TextUtils.isEmpty(packageName)) {
+ String packageName = getLaunchedFromPackage();
+ int mCallingUid = getLaunchedFromUid();
+
+ if (UserHandle.isSameApp(mCallingUid, Process.SYSTEM_UID)
+ && getIntent().getStringExtra(Intent.EXTRA_PACKAGE_NAME) != null) {
packageName = getIntent().getStringExtra(Intent.EXTRA_PACKAGE_NAME);
}
+
+ if (!UserHandle.isSameApp(mCallingUid, Process.SYSTEM_UID)
+ && getIntent().getStringExtra(Intent.EXTRA_PACKAGE_NAME) != null) {
+ Log.w(TAG, "Non-system Uid: " + mCallingUid + " tried to override packageName \n");
+ }
+
if (!TextUtils.isEmpty(packageName)) {
try {
ApplicationInfo applicationInfo = getPackageManager().getApplicationInfo(