commit 2c1b1aa81346c68179a88bad31f23ed976517954
author Binyi Wu <binyiwu@google.com> Tue Sep 06 17:58:53 2022 +0800
committer Binyi Wu <binyiwu@google.com> Wed Sep 14 05:04:35 2022 +0000
tree f834c8657bfed5e69e80fac46ec8a29be71a9ee1
parent 17122f961797f22384799a7bc7cf4c131c818de6

Prevent intent defined in AccountPreference from leaking access

Intent defined in AccountPreferences can grant Settings protected ContentProviders' access to authenticator app. We'll explicitly set an empty ClipData to avoid being used for unexpected access grant.

Test: manual, refer to #comment5 in bug for repro steps
Bug: 220733496
Change-Id: I85c22c9a7d72b8a55472d366d8adb6a75ac5c8a5

src/com/android/settings/accounts/AccountTypePreferenceLoader.java

diff --git a/src/com/android/settings/accounts/AccountTypePreferenceLoader.java b/src/com/android/settings/accounts/AccountTypePreferenceLoader.java
index 42bb34a..f1b5be1 100644
--- a/src/com/android/settings/accounts/AccountTypePreferenceLoader.java
+++ b/src/com/android/settings/accounts/AccountTypePreferenceLoader.java
@@ -19,6 +19,7 @@
 
 import android.accounts.Account;
 import android.accounts.AuthenticatorDescription;
+import android.content.ClipData;
 import android.content.Context;
 import android.content.Intent;
 import android.content.pm.ActivityInfo;
@@ -164,6 +165,9 @@
                                  * exploiting the fact that settings has system privileges.
                                  */
                             if (isSafeIntent(pm, prefIntent, acccountType)) {
+                                // Explicitly set an empty ClipData to ensure that we don't offer to
+                                // promote any Uris contained inside for granting purposes
+                                prefIntent.setClipData(ClipData.newPlainText(null, null));
                                 mFragment.getActivity().startActivityAsUser(
                                     prefIntent, mUserHandle);
                             } else {