Android/packages_apps_Settings
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge "Add ComponentName explicitly to make sure arbitary intents aren't launched from Settings." into security-aosp-25Q2-staging

Browse Source
This commit is contained in:
Justin Dunlap
2025-05-20 07:55:24 -07:00
committed by Android (Google) Code Review
parent 586422578d ade7c77634
commit a91dd2fb5b
1 changed files with 8 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
src/com/android/settings/accounts/AccountTypePreferenceLoader.java
View File

@@ -265,7 +265,14 @@ public class AccountTypePreferenceLoader {
try {
// Allows to launch only authenticator owned activities.
ApplicationInfo authenticatorAppInf = pm.getApplicationInfo(authDesc.packageName, 0);
return resolvedAppInfo.uid == authenticatorAppInf.uid;
if (resolvedAppInfo.uid == authenticatorAppInf.uid) {
// Explicitly set the component to be same as authenticator to
// prevent launching arbitrary activities.
intent.setComponent(resolvedActivityInfo.getComponentName());
return true;
} else {
return false;
}
} catch (NameNotFoundException e) {
Log.e(TAG,
"Intent considered unsafe due to exception.",