diff options
author | Raman Tenneti <rtenneti@google.com> | 2019-09-16 15:19:41 -0700 |
---|---|---|
committer | Raman Tenneti <rtenneti@google.com> | 2019-09-17 15:20:04 -0700 |
commit | 85988858d75498f51f0217eaf9796661a6d3ab63 (patch) | |
tree | 658c79d23a51d1da8a3611b461d4713b0c5279de | |
parent | 4201564aea66a4c00d24a0b1eb0c9facb92f34a5 (diff) | |
download | UnifiedEmail-85988858d75498f51f0217eaf9796661a6d3ab63.tar.gz |
AOSP/UnifiedEmail - Secure UPDATE_WIDGET receiver with a new permission
The update methods sends a broadcast with the account name, the folder, etc.
This implicitly bypasses the GET_ACCOUNT permission if a third-party
applications listens to this broadcast.
- Introduce a new app permission
- com.android.email.permission.GET_WIDGET_UPDATE
- Now the com.android.email.permission.GET_WIDGET_UPDATE is required to
- receive the emitted broadcast
- Add this permission to our existing widgets.
Ported changes from cr/106302205
- added uses-permission GET_WIDGET_UPDATE, so Gmail app has the permission to receive the intent
Bug: 139803872
Test: manual - Ran the following tests on Pixel phone. Tested the email UI.
$ make -j 40
$ make Email -j
$ make EmailTests -j
-rw-r--r-- 1 rtenneti primarygroup 6356400 Sep 16 14:10 out/target/product/marlin/testcases/Email/arm64/Email.apk
-rw-r--r-- 1 rtenneti primarygroup 389599 Sep 16 14:18 out/target/product/marlin/testcases/EmailTests/arm64/EmailTests.apk
$ adb install -r -d -g out/target/product/marlin/testcases/Email/arm64/Email.apk
$ adb install -r -d -g out/target/product/marlin/testcases/EmailTests/arm64/EmailTests.apk
$ adb shell am instrument -w com.android.email.tests
Time: 34.746
OK (157 tests)
$ atest EmailTests
Summary
-------
EmailTests: Passed: 157, Failed: 0, Ignored: 0, Assumption Failed: 0
All tests passed!
$ adb install ../security_attack/bug_139803872/poc.apk
Captured the logcat output at rtenneti's x20web logcat.out.0916.1503
while reproducting the steps in b/139803872#comment3
Change-Id: Ied292eab76c672c60de57f8ce43df0e0ea6d3464
-rw-r--r-- | res/values/strings.xml | 7 | ||||
-rw-r--r-- | src/com/android/mail/widget/BaseWidgetProvider.java | 14 |
2 files changed, 18 insertions, 3 deletions
diff --git a/res/values/strings.xml b/res/values/strings.xml index 951f1070c..a8b7bfef9 100644 --- a/res/values/strings.xml +++ b/res/values/strings.xml @@ -26,6 +26,13 @@ <string name="app_name" translatable="false">Unified Email</string> + <!-- The name of the permission to get widget update notifications. --> + <string name="permission_update_widget" translatable="false">com.android.email.permission.GET_WIDGET_UPDATE</string> + <!-- Permission label for receiving updates for the widget. --> + <string name="permission_update_widget_label">Update widget</string> + <!-- Permission description for receiving updates for the widget. --> + <string name="permission_update_widget_desc">Allows the app to receive notifications when the widget should be refreshed, including the account name and folder name.</string> + <!-- Compose --> <!-- Shown in Compose; the sender of the message [CHAR LIMIT=10] --> <string name="from">From</string> diff --git a/src/com/android/mail/widget/BaseWidgetProvider.java b/src/com/android/mail/widget/BaseWidgetProvider.java index 00eacd79b..42d1ae634 100644 --- a/src/com/android/mail/widget/BaseWidgetProvider.java +++ b/src/com/android/mail/widget/BaseWidgetProvider.java @@ -318,10 +318,18 @@ public abstract class BaseWidgetProvider extends AppWidgetProvider { updateWidgetIntent.putExtra(EXTRA_FOLDER_TYPE, folderType); updateWidgetIntent.putExtra(EXTRA_FOLDER_CAPABILITIES, folderCapabilities); updateWidgetIntent.putExtra(EXTRA_FOLDER_URI, folderUri); - updateWidgetIntent.putExtra(EXTRA_FOLDER_CONVERSATION_LIST_URI, folderConversationListUri); - updateWidgetIntent.putExtra(EXTRA_FOLDER_DISPLAY_NAME, folderDisplayName); - context.sendBroadcast(updateWidgetIntent); + if (folderConversationListUri != null) { + updateWidgetIntent.putExtra(EXTRA_FOLDER_CONVERSATION_LIST_URI, + folderConversationListUri); + } + if (folderDisplayName != null) { + updateWidgetIntent.putExtra(EXTRA_FOLDER_DISPLAY_NAME, folderDisplayName); + } + updateWidgetIntent.setPackage(context.getPackageName()); + + context.sendBroadcast(updateWidgetIntent, + context.getString(R.string.permission_update_widget)); } public static void validateAllWidgets(Context context, String accountMimeType) { |