Security fixes for PendingIntent related apis in LauncherApps
Allowing arbitrary activityOptions during the creation of PendingIntent
is a source of security vulnerability. This CL removes activityOptions
from the call-site.
Bug: 209607104
Test: manual
Change-Id: Id262b9a0de58d8834c85d925cf84bb44b8b99742
Merged-In: Id262b9a0de58d8834c85d925cf84bb44b8b99742
(cherry picked from commit e41e04bb8cb930c079597bc0008540461c57ffe1)
Merged-In:Id262b9a0de58d8834c85d925cf84bb44b8b99742
diff --git a/core/java/android/content/pm/LauncherApps.java b/core/java/android/content/pm/LauncherApps.java
index a8a5837..0f9acad 100644
--- a/core/java/android/content/pm/LauncherApps.java
+++ b/core/java/android/content/pm/LauncherApps.java
@@ -739,7 +739,7 @@
* {@link #startMainActivity(ComponentName, UserHandle, Rect, Bundle)}.
*
* @param component The ComponentName of the activity to launch
- * @param startActivityOptions Options to pass to startActivity
+ * @param startActivityOptions This parameter is no longer supported
* @param user The UserHandle of the profile
* @hide
*/
@@ -751,7 +751,8 @@
Log.i(TAG, "GetMainActivityLaunchIntent " + component + " " + user);
}
try {
- return mService.getActivityLaunchIntent(component, startActivityOptions, user);
+ // due to b/209607104, startActivityOptions will be ignored
+ return mService.getActivityLaunchIntent(component, null /* opts */, user);
} catch (RemoteException re) {
throw re.rethrowFromSystemServer();
}
@@ -846,7 +847,7 @@
*
* @param packageName The packageName of the shortcut
* @param shortcutId The id of the shortcut
- * @param opts Options to pass to the PendingIntent
+ * @param opts This parameter is no longer supported
* @param user The UserHandle of the profile
*/
@Nullable
@@ -858,8 +859,9 @@
Log.i(TAG, "GetShortcutIntent " + packageName + "/" + shortcutId + " " + user);
}
try {
+ // due to b/209607104, opts will be ignored
return mService.getShortcutIntent(
- mContext.getPackageName(), packageName, shortcutId, opts, user);
+ mContext.getPackageName(), packageName, shortcutId, null /* opts */, user);
} catch (RemoteException re) {
throw re.rethrowFromSystemServer();
}
diff --git a/services/core/java/com/android/server/pm/LauncherAppsService.java b/services/core/java/com/android/server/pm/LauncherAppsService.java
index 419b726..24b9f48 100644
--- a/services/core/java/com/android/server/pm/LauncherAppsService.java
+++ b/services/core/java/com/android/server/pm/LauncherAppsService.java
@@ -815,7 +815,7 @@
PendingIntent injectCreatePendingIntent(int requestCode, @NonNull Intent[] intents,
int flags, Bundle options, String ownerPackage, int ownerUserId) {
return mActivityManagerInternal.getPendingIntentActivityAsApp(requestCode, intents,
- flags, options, ownerPackage, ownerUserId);
+ flags, null /* options */, ownerPackage, ownerUserId);
}
@Override
@@ -1117,7 +1117,7 @@
// calling identity to mirror the startActivityAsUser() call which does not validate
// the calling user
return PendingIntent.getActivityAsUser(mContext, 0 /* requestCode */, launchIntent,
- FLAG_IMMUTABLE, opts, user);
+ FLAG_IMMUTABLE, null /* options */, user);
} finally {
Binder.restoreCallingIdentity(ident);
}
