From 6c418d585e0a91054b168fde3130188afd006c98 Mon Sep 17 00:00:00 2001 From: Dianne Hackborn Date: Wed, 29 Jun 2011 14:05:33 -0700 Subject: Fix issue #4902856: Don't let apps register non-explicit PendingIntents Location manager now checks for such intents, and logs a warning when they are given to it. Nothing thrown yet, it needs to check the targetSdkVersion of the caller somehow. When sending the pending intent, we require that the recipient hold the appropriate permission. This should pretty much close the security hole. Includes a bunch of infrastructure in the activity manager needed to support all this. Change-Id: I4dba7a98a7b8bbb9e347666451aa9cb1efad1848 --- core/java/android/app/ActivityManagerNative.java | 29 ++++++++++++++++++++++-- 1 file changed, 27 insertions(+), 2 deletions(-) (limited to 'core/java/android/app/ActivityManagerNative.java') diff --git a/core/java/android/app/ActivityManagerNative.java b/core/java/android/app/ActivityManagerNative.java index 85f40c92963a..fdf4a3af906d 100644 --- a/core/java/android/app/ActivityManagerNative.java +++ b/core/java/android/app/ActivityManagerNative.java @@ -251,12 +251,13 @@ public abstract class ActivityManagerNative extends Binder implements IActivityM IBinder b = data.readStrongBinder(); IApplicationThread app = b != null ? ApplicationThreadNative.asInterface(b) : null; + String packageName = data.readString(); b = data.readStrongBinder(); IIntentReceiver rec = b != null ? IIntentReceiver.Stub.asInterface(b) : null; IntentFilter filter = IntentFilter.CREATOR.createFromParcel(data); String perm = data.readString(); - Intent intent = registerReceiver(app, rec, filter, perm); + Intent intent = registerReceiver(app, packageName, rec, filter, perm); reply.writeNoException(); if (intent != null) { reply.writeInt(1); @@ -1503,6 +1504,16 @@ public abstract class ActivityManagerNative extends Binder implements IActivityM return true; } + case IS_INTENT_SENDER_TARGETED_TO_PACKAGE_TRANSACTION: { + data.enforceInterface(IActivityManager.descriptor); + IIntentSender r = IIntentSender.Stub.asInterface( + data.readStrongBinder()); + boolean res = isIntentSenderTargetedToPackage(r); + reply.writeNoException(); + reply.writeInt(res ? 1 : 0); + return true; + } + } return super.onTransact(code, data, reply, flags); @@ -1702,7 +1713,7 @@ class ActivityManagerProxy implements IActivityManager reply.recycle(); return res; } - public Intent registerReceiver(IApplicationThread caller, + public Intent registerReceiver(IApplicationThread caller, String packageName, IIntentReceiver receiver, IntentFilter filter, String perm) throws RemoteException { @@ -1710,6 +1721,7 @@ class ActivityManagerProxy implements IActivityManager Parcel reply = Parcel.obtain(); data.writeInterfaceToken(IActivityManager.descriptor); data.writeStrongBinder(caller != null ? caller.asBinder() : null); + data.writeString(packageName); data.writeStrongBinder(receiver != null ? receiver.asBinder() : null); filter.writeToParcel(data, 0); data.writeString(perm); @@ -3385,5 +3397,18 @@ class ActivityManagerProxy implements IActivityManager reply.recycle(); } + public boolean isIntentSenderTargetedToPackage(IIntentSender sender) throws RemoteException { + Parcel data = Parcel.obtain(); + Parcel reply = Parcel.obtain(); + data.writeInterfaceToken(IActivityManager.descriptor); + data.writeStrongBinder(sender.asBinder()); + mRemote.transact(IS_INTENT_SENDER_TARGETED_TO_PACKAGE_TRANSACTION, data, reply, 0); + reply.readException(); + boolean res = reply.readInt() != 0; + data.recycle(); + reply.recycle(); + return res; + } + private IBinder mRemote; } -- cgit v1.2.3