From c3f2df12fc2cd2b0bcab871cd83f16cf59771af0 Mon Sep 17 00:00:00 2001
From: Dmitry Dementyev <dementyev@google.com>
Date: Wed, 8 Mar 2017 16:32:00 -0800
Subject: resolve merge conflicts of 3964c51bf2 to nyc-dev

Bug: 33123882
Test: manual tests
Merged-In: If68343d155364654fa7db55ace3fb3c4db508c7e
AOSP-Change-Id: I17ceca883819a161c4eab2a414abf0b64c320378
(cherry picked from commit 0f04a5a93f846d6f2d528ab6ae0c9e37d701e438)
CVE-2017-0703

Change-Id: I6c09d8069b84661f761b385c8806bbe48aca155e
---
 .../settings/accounts/ManageAccountsSettings.java  | 32 ++++++++++++++--------
 1 file changed, 21 insertions(+), 11 deletions(-)

(limited to 'src/com/android')

diff --git a/src/com/android/settings/accounts/ManageAccountsSettings.java b/src/com/android/settings/accounts/ManageAccountsSettings.java
index bbb8c149c..59fcbed2f 100644
--- a/src/com/android/settings/accounts/ManageAccountsSettings.java
+++ b/src/com/android/settings/accounts/ManageAccountsSettings.java
@@ -36,6 +36,7 @@ import android.os.Bundle;
 import android.os.UserHandle;
 import android.preference.Preference;
 import android.preference.Preference.OnPreferenceClickListener;
+import android.preference.PreferenceGroup;
 import android.preference.PreferenceScreen;
 import android.util.Log;
 import android.view.LayoutInflater;
@@ -83,7 +84,7 @@ public class ManageAccountsSettings extends AccountPreferenceBase
 
     // If an account type is set, then show only accounts of that type
     private String mAccountType;
-    // Temporary hack, to deal with backward compatibility 
+    // Temporary hack, to deal with backward compatibility
     // mFirstAccount is used for the injected preferences
     private Account mFirstAccount;
 
@@ -438,15 +439,18 @@ public class ManageAccountsSettings extends AccountPreferenceBase
     }
 
     /**
-     * Filters through the preference list provided by GoogleLoginService.
+     * Recursively filters through the preference list provided by GoogleLoginService.
      *
      * This method removes all the invalid intent from the list, adds account name as extra into the
      * intent, and hack the location settings to start it as a fragment.
      */
-    private void updatePreferenceIntents(PreferenceScreen prefs) {
+    private void updatePreferenceIntents(PreferenceGroup prefs) {
         final PackageManager pm = getActivity().getPackageManager();
         for (int i = 0; i < prefs.getPreferenceCount();) {
             Preference pref = prefs.getPreference(i);
+            if (pref instanceof PreferenceGroup) {
+                updatePreferenceIntents((PreferenceGroup) pref);
+            }
             Intent intent = pref.getIntent();
             if (intent != null) {
                 // Hack. Launch "Location" as fragment instead of as activity.
@@ -495,8 +499,8 @@ public class ManageAccountsSettings extends AccountPreferenceBase
                                 } else {
                                     Log.e(TAG,
                                             "Refusing to launch authenticator intent because"
-                                            + "it exploits Settings permissions: "
-                                            + prefIntent);
+                                            	    + "it exploits Settings permissions: "
+                                            	    + prefIntent);
                                 }
                                 return true;
                             }
@@ -516,20 +520,26 @@ public class ManageAccountsSettings extends AccountPreferenceBase
     private boolean isSafeIntent(PackageManager pm, Intent intent) {
         AuthenticatorDescription authDesc =
                 mAuthenticatorHelper.getAccountTypeDescription(mAccountType);
-        ResolveInfo resolveInfo = pm.resolveActivity(intent, 0);
+        ResolveInfo resolveInfo =
+            pm.resolveActivityAsUser(intent, 0, mUserHandle.getIdentifier());
         if (resolveInfo == null) {
             return false;
         }
         ActivityInfo resolvedActivityInfo = resolveInfo.activityInfo;
         ApplicationInfo resolvedAppInfo = resolvedActivityInfo.applicationInfo;
         try {
+            if (resolvedActivityInfo.exported) {
+                if (resolvedActivityInfo.permission == null) {
+                    return true; // exported activity without permission.
+                } else if (pm.checkPermission(resolvedActivityInfo.permission,
+                        authDesc.packageName) == PackageManager.PERMISSION_GRANTED) {
+                    return true;
+                }
+            }
             ApplicationInfo authenticatorAppInf = pm.getApplicationInfo(authDesc.packageName, 0);
-            return resolvedActivityInfo.exported
-                    || resolvedAppInfo.uid == authenticatorAppInf.uid;
+            return  resolvedAppInfo.uid == authenticatorAppInf.uid;
         } catch (NameNotFoundException e) {
-            Log.e(TAG,
-                    "Intent considered unsafe due to exception.",
-                    e);
+            Log.e(TAG, "Intent considered unsafe due to exception.", e);            
             return false;
         }
     }
-- 
cgit v1.2.3