Correct vulnerability when setting pending intents on import/export notifications by setting FLAG_IMMUTABLE
For cases where we were setting an empty content intent, setContentIntent has not been required since Gingerbread
Bug: 161718556
Test: build
Change-Id: I1f62fdc077401fea2c48a31527464464f08a6b64
(cherry picked from commit 1d595f80e9c5157f8ca0285b572c9f1463e05c58)
diff --git a/src/com/android/contacts/vcard/ExportProcessor.java b/src/com/android/contacts/vcard/ExportProcessor.java
index 13d80ca..66308c6 100644
--- a/src/com/android/contacts/vcard/ExportProcessor.java
+++ b/src/com/android/contacts/vcard/ExportProcessor.java
@@ -304,11 +304,12 @@
intent.setType(Contacts.CONTENT_VCARD_TYPE);
intent.putExtra(Intent.EXTRA_STREAM, uri);
// Securely grant access using temporary access permissions
- intent.setFlags(Intent.FLAG_GRANT_READ_URI_PERMISSION);
+ // Use FLAG_ACTIVITY_NEW_TASK to set it as new task, to get rid of cached files.
+ intent.setFlags(Intent.FLAG_GRANT_READ_URI_PERMISSION | Intent.FLAG_ACTIVITY_NEW_TASK);
// Build notification
final Notification notification =
- NotificationImportExportListener.constructFinishNotificationWithFlags(
- mService, title, description, intent, Intent.FLAG_ACTIVITY_NEW_TASK);
+ NotificationImportExportListener.constructFinishNotification(
+ mService, title, description, intent);
mNotificationManager.notify(NotificationImportExportListener.DEFAULT_NOTIFICATION_TAG,
mJobId, notification);
}
diff --git a/src/com/android/contacts/vcard/NotificationImportExportListener.java b/src/com/android/contacts/vcard/NotificationImportExportListener.java
index f8f4320..efd6861 100644
--- a/src/com/android/contacts/vcard/NotificationImportExportListener.java
+++ b/src/com/android/contacts/vcard/NotificationImportExportListener.java
@@ -16,6 +16,8 @@
package com.android.contacts.vcard;
+import static android.app.PendingIntent.FLAG_IMMUTABLE;
+
import android.app.Activity;
import android.app.Notification;
import android.app.NotificationManager;
@@ -229,7 +231,7 @@
.setSmallIcon(type == VCardService.TYPE_IMPORT
? android.R.drawable.stat_sys_download
: android.R.drawable.stat_sys_upload)
- .setContentIntent(PendingIntent.getActivity(context, 0, intent, 0));
+ .setContentIntent(PendingIntent.getActivity(context, 0, intent, FLAG_IMMUTABLE));
if (totalCount > 0) {
String percentage =
NumberFormat.getPercentInstance().format((double) currentCount / totalCount);
@@ -254,10 +256,6 @@
.setColor(context.getResources().getColor(R.color.dialtacts_theme_color))
.setContentTitle(description)
.setContentText(description)
- // Launch an intent that won't resolve to anything. Restrict the intent to this
- // app to make sure that no other app can steal this pending-intent b/19296918.
- .setContentIntent(PendingIntent
- .getActivity(context, 0, new Intent(context.getPackageName(), null), 0))
.build();
}
@@ -270,29 +268,16 @@
*/
/* package */ static Notification constructFinishNotification(
Context context, String title, String description, Intent intent) {
- return constructFinishNotificationWithFlags(context, title, description, intent, 0);
- }
-
- /**
- * @param flags use FLAG_ACTIVITY_NEW_TASK to set it as new task, to get rid of cached files.
- */
- /* package */ static Notification constructFinishNotificationWithFlags(
- Context context, String title, String description, Intent intent, int flags) {
ContactsNotificationChannelsUtil.createDefaultChannel(context);
return new NotificationCompat.Builder(context,
- ContactsNotificationChannelsUtil.DEFAULT_CHANNEL)
- .setAutoCancel(true)
- .setColor(context.getResources().getColor(R.color.dialtacts_theme_color))
- .setSmallIcon(R.drawable.quantum_ic_done_vd_theme_24)
- .setContentTitle(title)
- .setContentText(description)
- // If no intent provided, include an intent that won't resolve to anything.
- // Restrict the intent to this app to make sure that no other app can steal this
- // pending-intent b/19296918.
- .setContentIntent(PendingIntent.getActivity(context, 0,
- (intent != null ? intent : new Intent(context.getPackageName(), null)),
- flags))
- .build();
+ ContactsNotificationChannelsUtil.DEFAULT_CHANNEL)
+ .setAutoCancel(true)
+ .setColor(context.getResources().getColor(R.color.dialtacts_theme_color))
+ .setSmallIcon(R.drawable.quantum_ic_done_vd_theme_24)
+ .setContentTitle(title)
+ .setContentText(description)
+ .setContentIntent(PendingIntent.getActivity(context, 0, intent, FLAG_IMMUTABLE))
+ .build();
}
/**
@@ -311,10 +296,6 @@
.setSmallIcon(android.R.drawable.stat_notify_error)
.setContentTitle(context.getString(R.string.vcard_import_failed))
.setContentText(reason)
- // Launch an intent that won't resolve to anything. Restrict the intent to this
- // app to make sure that no other app can steal this pending-intent b/19296918.
- .setContentIntent(PendingIntent
- .getActivity(context, 0, new Intent(context.getPackageName(), null), 0))
.build();
}
}