Backport Prevent shortcut info package name spoofing
Test: cts-tradefed run cts -m CtsShortcutManagerTestCases -t android.content.pm.cts.shortcutmanager.ShortcutManagerFakingPublisherTest
Bug: 109824443
Change-Id: I90443973aaef157d357b98b739572866125b2bbc
Merged-In: I78948446a63b428ae750464194558fd44a658493
(cherry picked from commit 9e21579a11219581a0c08ff5dd6ac4dc22e988a4)
diff --git a/services/core/java/com/android/server/pm/ShortcutService.java b/services/core/java/com/android/server/pm/ShortcutService.java
index 15d2071..83b8175 100644
--- a/services/core/java/com/android/server/pm/ShortcutService.java
+++ b/services/core/java/com/android/server/pm/ShortcutService.java
@@ -131,6 +131,7 @@
import java.util.ArrayList;
import java.util.Collections;
import java.util.List;
+import java.util.Objects;
import java.util.concurrent.atomic.AtomicBoolean;
import java.util.function.Consumer;
import java.util.function.Predicate;
@@ -1534,6 +1535,24 @@
"Ephemeral apps can't use ShortcutManager");
}
+ private void verifyShortcutInfoPackage(String callerPackage, ShortcutInfo si) {
+ if (si == null) {
+ return;
+ }
+ if (!Objects.equals(callerPackage, si.getPackage())) {
+ android.util.EventLog.writeEvent(0x534e4554, "109824443", -1, "");
+ throw new SecurityException("Shortcut package name mismatch");
+ }
+ }
+
+ private void verifyShortcutInfoPackages(
+ String callerPackage, List<ShortcutInfo> list) {
+ final int size = list.size();
+ for (int i = 0; i < size; i++) {
+ verifyShortcutInfoPackage(callerPackage, list.get(i));
+ }
+ }
+
// Overridden in unit tests to execute r synchronously.
void injectPostToHandler(Runnable r) {
mHandler.post(r);
@@ -1681,6 +1700,7 @@
verifyCaller(packageName, userId);
final List<ShortcutInfo> newShortcuts = (List<ShortcutInfo>) shortcutInfoList.getList();
+ verifyShortcutInfoPackages(packageName, newShortcuts);
final int size = newShortcuts.size();
synchronized (mLock) {
@@ -1732,6 +1752,7 @@
verifyCaller(packageName, userId);
final List<ShortcutInfo> newShortcuts = (List<ShortcutInfo>) shortcutInfoList.getList();
+ verifyShortcutInfoPackages(packageName, newShortcuts);
final int size = newShortcuts.size();
synchronized (mLock) {
@@ -1812,6 +1833,7 @@
verifyCaller(packageName, userId);
final List<ShortcutInfo> newShortcuts = (List<ShortcutInfo>) shortcutInfoList.getList();
+ verifyShortcutInfoPackages(packageName, newShortcuts);
final int size = newShortcuts.size();
synchronized (mLock) {
@@ -1871,6 +1893,7 @@
Preconditions.checkNotNull(shortcut);
Preconditions.checkArgument(shortcut.isEnabled(), "Shortcut must be enabled");
verifyCaller(packageName, userId);
+ verifyShortcutInfoPackage(packageName, shortcut);
final Intent ret;
synchronized (mLock) {
@@ -1892,6 +1915,7 @@
private boolean requestPinItem(String packageName, int userId, ShortcutInfo shortcut,
AppWidgetProviderInfo appWidget, Bundle extras, IntentSender resultIntent) {
verifyCaller(packageName, userId);
+ verifyShortcutInfoPackage(packageName, shortcut);
final boolean ret;
synchronized (mLock) {
