From 329603fd3b62ef5bb06c2c3612471edd30fd431a Mon Sep 17 00:00:00 2001 From: Carlos Valdivia Date: Sun, 7 Sep 2014 17:45:58 -0700 Subject: SECURITY: Don't pass a usable Pending Intent to 3rd parties. Unfortunately the Settings app has super powers. We shouldn't let untrusted 3rd party authenticators re-purpose those powers to their own nefarious ends. This means that we shouldn't pass along PendingIntents that can have addressing information (component, action, category) filled in by third parties. Bug: 17356824 Change-Id: I397d26c5f465ddfb0e58bbc66cd44756e58cc507 (cherry picked from commit f5d3e74ecc2b973941d8adbe40c6b23094b5abb7) Signed-off-by: Carlos Valdivia Tested-by: Moritz Bandemer --- .../android/settings/accounts/AddAccountSettings.java | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/src/com/android/settings/accounts/AddAccountSettings.java b/src/com/android/settings/accounts/AddAccountSettings.java index 6f7e29a24..6b53d75ff 100644 --- a/src/com/android/settings/accounts/AddAccountSettings.java +++ b/src/com/android/settings/accounts/AddAccountSettings.java @@ -23,6 +23,7 @@ import android.accounts.AuthenticatorException; import android.accounts.OperationCanceledException; import android.app.Activity; import android.app.PendingIntent; +import android.content.ComponentName; import android.content.Intent; import android.os.Bundle; import android.util.Log; @@ -58,6 +59,7 @@ public class AddAccountSettings extends Activity { * application. */ private static final String KEY_CALLER_IDENTITY = "pendingIntent"; + private static final String SHOULD_NOT_RESOLVE = "SHOULDN'T RESOLVE!"; private static final String TAG = "AccountSettings"; @@ -170,7 +172,21 @@ public class AddAccountSettings extends Activity { private void addAccount(String accountType) { Bundle addAccountOptions = new Bundle(); - mPendingIntent = PendingIntent.getBroadcast(this, 0, new Intent(), 0); + /* + * The identityIntent is for the purposes of establishing the identity + * of the caller and isn't intended for launching activities, services + * or broadcasts. + * + * Unfortunately for legacy reasons we still need to support this. But + * we can cripple the intent so that 3rd party authenticators can't + * fill in addressing information and launch arbitrary actions. + */ + Intent identityIntent = new Intent(); + identityIntent.setComponent(new ComponentName(SHOULD_NOT_RESOLVE, SHOULD_NOT_RESOLVE)); + identityIntent.setAction(SHOULD_NOT_RESOLVE); + identityIntent.addCategory(SHOULD_NOT_RESOLVE); + + mPendingIntent = PendingIntent.getBroadcast(this, 0, identityIntent, 0); addAccountOptions.putParcelable(KEY_CALLER_IDENTITY, mPendingIntent); addAccountOptions.putBoolean(EXTRA_HAS_MULTIPLE_USERS, Utils.hasMultipleUsers(this)); AccountManager.get(this).addAccount( -- cgit v1.2.3