From 1d595f80e9c5157f8ca0285b572c9f1463e05c58 Mon Sep 17 00:00:00 2001 From: John Shao Date: Wed, 29 Jul 2020 22:17:01 +0000 Subject: Correct vulnerability when setting pending intents on import/export notifications by setting FLAG_IMMUTABLE For cases where we were setting an empty content intent, setContentIntent has not been required since Gingerbread Bug: 161718556 Test: build Change-Id: I1f62fdc077401fea2c48a31527464464f08a6b64 --- .../android/contacts/vcard/ExportProcessor.java | 7 ++-- .../vcard/NotificationImportExportListener.java | 41 ++++++---------------- 2 files changed, 15 insertions(+), 33 deletions(-) diff --git a/src/com/android/contacts/vcard/ExportProcessor.java b/src/com/android/contacts/vcard/ExportProcessor.java index 13d80caa1..66308c6bf 100644 --- a/src/com/android/contacts/vcard/ExportProcessor.java +++ b/src/com/android/contacts/vcard/ExportProcessor.java @@ -304,11 +304,12 @@ public class ExportProcessor extends ProcessorBase { intent.setType(Contacts.CONTENT_VCARD_TYPE); intent.putExtra(Intent.EXTRA_STREAM, uri); // Securely grant access using temporary access permissions - intent.setFlags(Intent.FLAG_GRANT_READ_URI_PERMISSION); + // Use FLAG_ACTIVITY_NEW_TASK to set it as new task, to get rid of cached files. + intent.setFlags(Intent.FLAG_GRANT_READ_URI_PERMISSION | Intent.FLAG_ACTIVITY_NEW_TASK); // Build notification final Notification notification = - NotificationImportExportListener.constructFinishNotificationWithFlags( - mService, title, description, intent, Intent.FLAG_ACTIVITY_NEW_TASK); + NotificationImportExportListener.constructFinishNotification( + mService, title, description, intent); mNotificationManager.notify(NotificationImportExportListener.DEFAULT_NOTIFICATION_TAG, mJobId, notification); } diff --git a/src/com/android/contacts/vcard/NotificationImportExportListener.java b/src/com/android/contacts/vcard/NotificationImportExportListener.java index beabe26bc..8d5346825 100644 --- a/src/com/android/contacts/vcard/NotificationImportExportListener.java +++ b/src/com/android/contacts/vcard/NotificationImportExportListener.java @@ -16,6 +16,8 @@ package com.android.contacts.vcard; +import static android.app.PendingIntent.FLAG_IMMUTABLE; + import android.app.Activity; import android.app.Notification; import android.app.NotificationManager; @@ -229,7 +231,7 @@ public class NotificationImportExportListener implements VCardImportExportListen .setSmallIcon(type == VCardService.TYPE_IMPORT ? android.R.drawable.stat_sys_download : android.R.drawable.stat_sys_upload) - .setContentIntent(PendingIntent.getActivity(context, 0, intent, 0)); + .setContentIntent(PendingIntent.getActivity(context, 0, intent, FLAG_IMMUTABLE)); if (totalCount > 0) { String percentage = NumberFormat.getPercentInstance().format((double) currentCount / totalCount); @@ -254,10 +256,6 @@ public class NotificationImportExportListener implements VCardImportExportListen .setColor(context.getResources().getColor(R.color.dialtacts_theme_color)) .setContentTitle(description) .setContentText(description) - // Launch an intent that won't resolve to anything. Restrict the intent to this - // app to make sure that no other app can steal this pending-intent b/19296918. - .setContentIntent(PendingIntent - .getActivity(context, 0, new Intent(context.getPackageName(), null), 0)) .build(); } @@ -270,29 +268,16 @@ public class NotificationImportExportListener implements VCardImportExportListen */ /* package */ static Notification constructFinishNotification( Context context, String title, String description, Intent intent) { - return constructFinishNotificationWithFlags(context, title, description, intent, 0); - } - - /** - * @param flags use FLAG_ACTIVITY_NEW_TASK to set it as new task, to get rid of cached files. - */ - /* package */ static Notification constructFinishNotificationWithFlags( - Context context, String title, String description, Intent intent, int flags) { ContactsNotificationChannelsUtil.createDefaultChannel(context); return new NotificationCompat.Builder(context, - ContactsNotificationChannelsUtil.DEFAULT_CHANNEL) - .setAutoCancel(true) - .setColor(context.getResources().getColor(R.color.dialtacts_theme_color)) - .setSmallIcon(R.drawable.quantum_ic_done_vd_theme_24) - .setContentTitle(title) - .setContentText(description) - // If no intent provided, include an intent that won't resolve to anything. - // Restrict the intent to this app to make sure that no other app can steal this - // pending-intent b/19296918. - .setContentIntent(PendingIntent.getActivity(context, 0, - (intent != null ? intent : new Intent(context.getPackageName(), null)), - flags)) - .build(); + ContactsNotificationChannelsUtil.DEFAULT_CHANNEL) + .setAutoCancel(true) + .setColor(context.getResources().getColor(R.color.dialtacts_theme_color)) + .setSmallIcon(R.drawable.quantum_ic_done_vd_theme_24) + .setContentTitle(title) + .setContentText(description) + .setContentIntent(PendingIntent.getActivity(context, 0, intent, FLAG_IMMUTABLE)) + .build(); } /** @@ -311,10 +296,6 @@ public class NotificationImportExportListener implements VCardImportExportListen .setSmallIcon(android.R.drawable.stat_notify_error) .setContentTitle(context.getString(R.string.vcard_import_failed)) .setContentText(reason) - // Launch an intent that won't resolve to anything. Restrict the intent to this - // app to make sure that no other app can steal this pending-intent b/19296918. - .setContentIntent(PendingIntent - .getActivity(context, 0, new Intent(context.getPackageName(), null), 0)) .build(); } } -- cgit v1.2.3