diff options
| author | akirilov <akirilov@google.com> | 2018-10-16 14:52:05 -0700 |
|---|---|---|
| committer | Kevin Haggerty <haggertk@lineageos.org> | 2019-01-11 19:45:06 +0100 |
| commit | 770be26674928679e4284ba3192c9ad32e70c2b4 (patch) | |
| tree | 75ac63f52f47b99a7df6931d1c67e8808ab67e01 | |
| parent | 4fb92827be7ed37b7a79c92edafd3cbe0ef1967d (diff) | |
| download | android_packages_apps_PackageInstaller-770be26674928679e4284ba3192c9ad32e70c2b4.tar.gz android_packages_apps_PackageInstaller-770be26674928679e4284ba3192c9ad32e70c2b4.tar.bz2 android_packages_apps_PackageInstaller-770be26674928679e4284ba3192c9ad32e70c2b4.zip | |
RESTRICT AUTOMERGE: Trust session id only if started with ACTION_CONFIRM_INSTALL
InstallStart was reading sessionInfo whenever the starting intent had
the extra EXTRA_SESSION_ID. This could happen even if an external app
inserted a valid session id into its own REQUEST_INSTALL_PACKAGE intent.
This allows apps to potentially spoof the calling package.
Test: Existing tests pass:
atest GtsPackageInstallTestCases GtsNoPermissionTestCases \
GtsNoPermissionTestCases25
Bug: 112031362
Change-Id: Icdab1deeaf6b0afe7a61709cd87305336c467e33
(cherry picked from commit 10b0b0dcd03ac2ccd9d2a5ec8dfdf54058e31faa)
| -rw-r--r-- | src/com/android/packageinstaller/InstallStart.java | 9 |
1 files changed, 7 insertions, 2 deletions
diff --git a/src/com/android/packageinstaller/InstallStart.java b/src/com/android/packageinstaller/InstallStart.java index 12441b50..23bd7bb1 100644 --- a/src/com/android/packageinstaller/InstallStart.java +++ b/src/com/android/packageinstaller/InstallStart.java @@ -55,9 +55,14 @@ public class InstallStart extends Activity { Intent intent = getIntent(); String callingPackage = getCallingPackage(); + final boolean isSessionInstall = + PackageInstaller.ACTION_CONFIRM_PERMISSIONS.equals(intent.getAction()); + // If the activity was started via a PackageInstaller session, we retrieve the calling // package from that session - int sessionId = intent.getIntExtra(PackageInstaller.EXTRA_SESSION_ID, -1); + final int sessionId = (isSessionInstall + ? intent.getIntExtra(PackageInstaller.EXTRA_SESSION_ID, -1) + : -1); if (callingPackage == null && sessionId != -1) { PackageInstaller packageInstaller = getPackageManager().getPackageInstaller(); PackageInstaller.SessionInfo sessionInfo = packageInstaller.getSessionInfo(sessionId); @@ -100,7 +105,7 @@ public class InstallStart extends Activity { nextActivity.putExtra(PackageInstallerActivity.EXTRA_ORIGINAL_SOURCE_INFO, sourceInfo); nextActivity.putExtra(Intent.EXTRA_ORIGINATING_UID, originatingUid); - if (PackageInstaller.ACTION_CONFIRM_PERMISSIONS.equals(intent.getAction())) { + if (isSessionInstall) { nextActivity.setClass(this, PackageInstallerActivity.class); } else { Uri packageUri = intent.getData(); |