Make sure that external callers cannot pass in the confirm bypass extra

Security fix for vulnerability where an app could launch into the screen lock change dialog without first confirming the existing password/pattern. Also, make sure that the fragments are launched with the correct corresponding activity. Bug: 9858403 Change-Id: I0f2c00a44abeb624c6fba0497bf6036a6f1a4564
author: Amith Yamasani <yamasani@google.com> 2013-09-25 14:05:33 -0700
committer: Amith Yamasani <yamasani@google.com> 2013-09-25 14:05:33 -0700
commit: 66026773bbf1d7631743a5b892a4f768c694f868 (patch)
tree: 09729d1c9ac54e66a86e09550a9b4aafbd2bb295 /src/com/android
parent: 8243c9a722e815bdcb069163de48877478c28dfd (diff)
download: packages_apps_Settings-66026773bbf1d7631743a5b892a4f768c694f868.tar.gz
packages_apps_Settings-66026773bbf1d7631743a5b892a4f768c694f868.tar.bz2
packages_apps_Settings-66026773bbf1d7631743a5b892a4f768c694f868.zip
3 files changed, 15 insertions, 3 deletions
diff --git a/src/com/android/settings/ChooseLockGeneric.java b/src/com/android/settings/ChooseLockGeneric.java
index 017adfac2..49de36686 100644
--- a/src/com/android/settings/ChooseLockGeneric.java
+++ b/src/com/android/settings/ChooseLockGeneric.java
@@ -60,6 +60,9 @@ public class ChooseLockGeneric extends PreferenceActivity {
         return false;
     }
 
+    public static class InternalActivity extends ChooseLockGeneric {
+    }
+
     public static class ChooseLockGenericFragment extends SettingsPreferenceFragment {
         private static final int MIN_PASSWORD_LENGTH = 4;
         private static final String KEY_UNLOCK_BACKUP_INFO = "unlock_backup_info";
@@ -97,7 +100,9 @@ public class ChooseLockGeneric extends PreferenceActivity {
             // Defaults to needing to confirm credentials
             final boolean confirmCredentials = getActivity().getIntent()
                 .getBooleanExtra(CONFIRM_CREDENTIALS, true);
-            mPasswordConfirmed = !confirmCredentials;
+            if (getActivity() instanceof ChooseLockGeneric.InternalActivity) {
+                mPasswordConfirmed = !confirmCredentials;
+            }
 
             if (savedInstanceState != null) {
                 mPasswordConfirmed = savedInstanceState.getBoolean(PASSWORD_CONFIRMED);
@@ -341,7 +346,8 @@ public class ChooseLockGeneric extends PreferenceActivity {
         }
 
         private Intent getBiometricSensorIntent() {
-            Intent fallBackIntent = new Intent().setClass(getActivity(), ChooseLockGeneric.class);
+            Intent fallBackIntent = new Intent().setClass(getActivity(),
+                    ChooseLockGeneric.InternalActivity.class);
             fallBackIntent.putExtra(LockPatternUtils.LOCKSCREEN_BIOMETRIC_WEAK_FALLBACK, true);
             fallBackIntent.putExtra(CONFIRM_CREDENTIALS, false);
             fallBackIntent.putExtra(EXTRA_SHOW_FRAGMENT_TITLE,
diff --git a/src/com/android/settings/ChooseLockPassword.java b/src/com/android/settings/ChooseLockPassword.java
index c6f5212c3..f43738f04 100644
--- a/src/com/android/settings/ChooseLockPassword.java
+++ b/src/com/android/settings/ChooseLockPassword.java
@@ -161,6 +161,9 @@ public class ChooseLockPassword extends PreferenceActivity {
             super.onCreate(savedInstanceState);
             mLockPatternUtils = new LockPatternUtils(getActivity());
             Intent intent = getActivity().getIntent();
+            if (!(getActivity() instanceof ChooseLockPassword)) {
+                throw new SecurityException("Fragment contained in wrong activity");
+            }
             mRequestedQuality = Math.max(intent.getIntExtra(LockPatternUtils.PASSWORD_TYPE_KEY,
                     mRequestedQuality), mLockPatternUtils.getRequestedPasswordQuality());
             mPasswordMinLength = Math.max(
diff --git a/src/com/android/settings/ChooseLockPattern.java b/src/com/android/settings/ChooseLockPattern.java
index c3045e26e..328312c2f 100644
--- a/src/com/android/settings/ChooseLockPattern.java
+++ b/src/com/android/settings/ChooseLockPattern.java
@@ -308,6 +308,9 @@ public class ChooseLockPattern extends PreferenceActivity {
         public void onCreate(Bundle savedInstanceState) {
             super.onCreate(savedInstanceState);
             mChooseLockSettingsHelper = new ChooseLockSettingsHelper(getActivity());
+            if (!(getActivity() instanceof ChooseLockPattern)) {
+                throw new SecurityException("Fragment contained in wrong activity");
+            }
         }
 
         @Override
@@ -338,7 +341,7 @@ public class ChooseLockPattern extends PreferenceActivity {
             topLayout.setDefaultTouchRecepient(mLockPatternView);
 
             final boolean confirmCredentials = getActivity().getIntent()
-                    .getBooleanExtra("confirm_credentials", false);
+                    .getBooleanExtra("confirm_credentials", true);
 
             if (savedInstanceState == null) {
                 if (confirmCredentials) {
author	Amith Yamasani <yamasani@google.com>	2013-09-25 14:05:33 -0700
committer	Amith Yamasani <yamasani@google.com>	2013-09-25 14:05:33 -0700
commit	66026773bbf1d7631743a5b892a4f768c694f868 (patch)
tree	09729d1c9ac54e66a86e09550a9b4aafbd2bb295 /src/com/android
parent	8243c9a722e815bdcb069163de48877478c28dfd (diff)
download	packages_apps_Settings-66026773bbf1d7631743a5b892a4f768c694f868.tar.gz packages_apps_Settings-66026773bbf1d7631743a5b892a4f768c694f868.tar.bz2 packages_apps_Settings-66026773bbf1d7631743a5b892a4f768c694f868.zip