Android/packages_apps_Settings
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

RESTRICT AUTOMERGE Fix bluetooth settings will broadcast to anywhere when some cases

Browse Source 
BluetoothPermissionActivity and DevicePickerFragment will send
broadcast to return the result to calling apps. As this broadcast
intent is from Settings with uid 1000, it will be sent to any
protected BroadcastReceivers in the device. It can make an attacker
send broadcast to protected BroadcastReceivers like factory reset intent
(android/com.android.server.MasterClearReceiver) via
BluetoothPermissionActivity or DevicePickerFragment.

This CL will not allow to set package name and class name to avoid
the attacker.

Bug: 179386960
Bug: 179386068
Test: make -j42 RunSettingsRoboTests and use test apk to manually test
to verify factory reset not started and no system UI notification.

Change-Id: Id27a78091ab578077853b8fbb97a4422cff0a158
(cherry picked from commit 8adedc6249)
(cherry picked from commit e21d06f6ee)
This commit is contained in:
Hugh Chen
2021-03-12 10:40:20 +08:00
committed by android-build-team Robot
parent 42be5cfa10
commit f1d1bb7816
5 changed files with 107 additions and 35 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
src/com/android/settings/bluetooth/DevicePickerFragment.java
View File

@@ -48,10 +48,10 @@ public final class DevicePickerFragment extends DeviceListPreferenceFragment {
@VisibleForTesting
BluetoothProgressCategory mAvailableDevicesCategory;
@VisibleForTesting
Context mContext;
private boolean mNeedAuth;
private String mLaunchPackage;
private String mLaunchClass;
private boolean mScanAllowed;
public DevicePickerFragment() {
@@ -64,8 +64,6 @@ public final class DevicePickerFragment extends DeviceListPreferenceFragment {
mNeedAuth = intent.getBooleanExtra(BluetoothDevicePicker.EXTRA_NEED_AUTH, false);
setFilter(intent.getIntExtra(BluetoothDevicePicker.EXTRA_FILTER_TYPE,
BluetoothDevicePicker.FILTER_TYPE_ALL));
mLaunchPackage = intent.getStringExtra(BluetoothDevicePicker.EXTRA_LAUNCH_PACKAGE);
mLaunchClass = intent.getStringExtra(BluetoothDevicePicker.EXTRA_LAUNCH_CLASS);
mAvailableDevicesCategory = (BluetoothProgressCategory) findPreference(KEY_BT_DEVICE_LIST);
}
@@ -85,6 +83,7 @@ public final class DevicePickerFragment extends DeviceListPreferenceFragment {
getActivity().setTitle(getString(R.string.device_picker));
UserManager um = (UserManager) getSystemService(Context.USER_SERVICE);
mScanAllowed = !um.hasUserRestriction(DISALLOW_CONFIG_BLUETOOTH);
mContext = getContext();
setHasOptionsMenu(true);
}
@@ -190,9 +189,7 @@ public final class DevicePickerFragment extends DeviceListPreferenceFragment {
private void sendDevicePickedIntent(BluetoothDevice device) {
Intent intent = new Intent(BluetoothDevicePicker.ACTION_DEVICE_SELECTED);
intent.putExtra(BluetoothDevice.EXTRA_DEVICE, device);
if (mLaunchPackage != null && mLaunchClass != null) {
intent.setClassName(mLaunchPackage, mLaunchClass);
}
getActivity().sendBroadcast(intent, Manifest.permission.BLUETOOTH_ADMIN);
mContext.sendBroadcast(intent, Manifest.permission.BLUETOOTH_ADMIN);
}
}