diff options
| author | John Shao <johnshao@google.com> | 2020-08-01 06:39:22 +0000 |
|---|---|---|
| committer | Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> | 2020-08-01 06:39:22 +0000 |
| commit | b19ebd07e3a5cde2b2dcd9ad9d6957ebd33a12ea (patch) | |
| tree | 7dc18cb9cb526061fbe20723afcaa71bca96b7c8 | |
| parent | 148d370613439fd4133a418e27c2c087c1e7bf49 (diff) | |
| parent | 2aedd25d2e64ac216727cf3d0c30d2bc0443007f (diff) | |
| download | Contacts-b19ebd07e3a5cde2b2dcd9ad9d6957ebd33a12ea.tar.gz | |
Correct vulnerability when setting pending intents on import/export notifications by setting FLAG_IMMUTABLE am: 1d595f80e9 am: 835bc188db am: 2aedd25d2e
Original change: https://googleplex-android-review.googlesource.com/c/platform/packages/apps/Contacts/+/12272170
Change-Id: Ia4cca9a1832384c9742b6a7e9108a5d5e94781f6
| -rw-r--r-- | src/com/android/contacts/vcard/ExportProcessor.java | 7 | ||||
| -rw-r--r-- | src/com/android/contacts/vcard/NotificationImportExportListener.java | 41 |
2 files changed, 15 insertions, 33 deletions
diff --git a/src/com/android/contacts/vcard/ExportProcessor.java b/src/com/android/contacts/vcard/ExportProcessor.java index 13d80caa1..66308c6bf 100644 --- a/src/com/android/contacts/vcard/ExportProcessor.java +++ b/src/com/android/contacts/vcard/ExportProcessor.java @@ -304,11 +304,12 @@ public class ExportProcessor extends ProcessorBase { intent.setType(Contacts.CONTENT_VCARD_TYPE); intent.putExtra(Intent.EXTRA_STREAM, uri); // Securely grant access using temporary access permissions - intent.setFlags(Intent.FLAG_GRANT_READ_URI_PERMISSION); + // Use FLAG_ACTIVITY_NEW_TASK to set it as new task, to get rid of cached files. + intent.setFlags(Intent.FLAG_GRANT_READ_URI_PERMISSION | Intent.FLAG_ACTIVITY_NEW_TASK); // Build notification final Notification notification = - NotificationImportExportListener.constructFinishNotificationWithFlags( - mService, title, description, intent, Intent.FLAG_ACTIVITY_NEW_TASK); + NotificationImportExportListener.constructFinishNotification( + mService, title, description, intent); mNotificationManager.notify(NotificationImportExportListener.DEFAULT_NOTIFICATION_TAG, mJobId, notification); } diff --git a/src/com/android/contacts/vcard/NotificationImportExportListener.java b/src/com/android/contacts/vcard/NotificationImportExportListener.java index beabe26bc..8d5346825 100644 --- a/src/com/android/contacts/vcard/NotificationImportExportListener.java +++ b/src/com/android/contacts/vcard/NotificationImportExportListener.java @@ -16,6 +16,8 @@ package com.android.contacts.vcard; +import static android.app.PendingIntent.FLAG_IMMUTABLE; + import android.app.Activity; import android.app.Notification; import android.app.NotificationManager; @@ -229,7 +231,7 @@ public class NotificationImportExportListener implements VCardImportExportListen .setSmallIcon(type == VCardService.TYPE_IMPORT ? android.R.drawable.stat_sys_download : android.R.drawable.stat_sys_upload) - .setContentIntent(PendingIntent.getActivity(context, 0, intent, 0)); + .setContentIntent(PendingIntent.getActivity(context, 0, intent, FLAG_IMMUTABLE)); if (totalCount > 0) { String percentage = NumberFormat.getPercentInstance().format((double) currentCount / totalCount); @@ -254,10 +256,6 @@ public class NotificationImportExportListener implements VCardImportExportListen .setColor(context.getResources().getColor(R.color.dialtacts_theme_color)) .setContentTitle(description) .setContentText(description) - // Launch an intent that won't resolve to anything. Restrict the intent to this - // app to make sure that no other app can steal this pending-intent b/19296918. - .setContentIntent(PendingIntent - .getActivity(context, 0, new Intent(context.getPackageName(), null), 0)) .build(); } @@ -270,29 +268,16 @@ public class NotificationImportExportListener implements VCardImportExportListen */ /* package */ static Notification constructFinishNotification( Context context, String title, String description, Intent intent) { - return constructFinishNotificationWithFlags(context, title, description, intent, 0); - } - - /** - * @param flags use FLAG_ACTIVITY_NEW_TASK to set it as new task, to get rid of cached files. - */ - /* package */ static Notification constructFinishNotificationWithFlags( - Context context, String title, String description, Intent intent, int flags) { ContactsNotificationChannelsUtil.createDefaultChannel(context); return new NotificationCompat.Builder(context, - ContactsNotificationChannelsUtil.DEFAULT_CHANNEL) - .setAutoCancel(true) - .setColor(context.getResources().getColor(R.color.dialtacts_theme_color)) - .setSmallIcon(R.drawable.quantum_ic_done_vd_theme_24) - .setContentTitle(title) - .setContentText(description) - // If no intent provided, include an intent that won't resolve to anything. - // Restrict the intent to this app to make sure that no other app can steal this - // pending-intent b/19296918. - .setContentIntent(PendingIntent.getActivity(context, 0, - (intent != null ? intent : new Intent(context.getPackageName(), null)), - flags)) - .build(); + ContactsNotificationChannelsUtil.DEFAULT_CHANNEL) + .setAutoCancel(true) + .setColor(context.getResources().getColor(R.color.dialtacts_theme_color)) + .setSmallIcon(R.drawable.quantum_ic_done_vd_theme_24) + .setContentTitle(title) + .setContentText(description) + .setContentIntent(PendingIntent.getActivity(context, 0, intent, FLAG_IMMUTABLE)) + .build(); } /** @@ -311,10 +296,6 @@ public class NotificationImportExportListener implements VCardImportExportListen .setSmallIcon(android.R.drawable.stat_notify_error) .setContentTitle(context.getString(R.string.vcard_import_failed)) .setContentText(reason) - // Launch an intent that won't resolve to anything. Restrict the intent to this - // app to make sure that no other app can steal this pending-intent b/19296918. - .setContentIntent(PendingIntent - .getActivity(context, 0, new Intent(context.getPackageName(), null), 0)) .build(); } } |