Merge changes from topic "am-32ac52b1-d1ae-4650-b9ae-368d8cd519cb" into cw-f-dev

* changes: [automerger] RESTRICT AUTOMERGE: Prevent shortcut info package name spoofing am: 2f7d50058a RESTRICT AUTOMERGE: Prevent shortcut info package name spoofing
author: Atanas Kirilov <akirilov@google.com> 2018-06-27 23:29:41 +0000
committer: Android (Google) Code Review <android-gerrit@google.com> 2018-06-27 23:29:41 +0000
commit: 75b5dc8fb91c69cb4d94274dc4e6f5a6aaeb457d (patch)
tree: 6908964db77b7e36d6373097db9a20ac6fe29e0e
parent: 3d38ba1f9bb53c3695a27f242feb28a3f5e56040 (diff)
parent: 06848a3f8fa0b815d13d339c676191f6ebc50d33 (diff)
1 files changed, 22 insertions, 0 deletions
diff --git a/services/core/java/com/android/server/pm/ShortcutService.java b/services/core/java/com/android/server/pm/ShortcutService.java
index 500af0ca73d3..afc74ad0a806 100644
--- a/services/core/java/com/android/server/pm/ShortcutService.java
+++ b/services/core/java/com/android/server/pm/ShortcutService.java
@@ -124,6 +124,7 @@ import java.nio.charset.StandardCharsets;
 import java.util.ArrayList;
 import java.util.Collections;
 import java.util.List;
+import java.util.Objects;
 import java.util.concurrent.atomic.AtomicBoolean;
 import java.util.function.Consumer;
 import java.util.function.Predicate;
@@ -1523,6 +1524,24 @@ public class ShortcutService extends IShortcutService.Stub {
         throw new SecurityException("Calling package name mismatch");
     }
 
+    private void verifyShortcutInfoPackage(String callerPackage, ShortcutInfo si) {
+        if (si == null) {
+            return;
+        }
+        if (!Objects.equals(callerPackage, si.getPackage())) {
+            android.util.EventLog.writeEvent(0x534e4554, "109824443", -1, "");
+            throw new SecurityException("Shortcut package name mismatch");
+        }
+    }
+
+    private void verifyShortcutInfoPackages(
+            String callerPackage, List<ShortcutInfo> list) {
+        final int size = list.size();
+        for (int i = 0; i < size; i++) {
+            verifyShortcutInfoPackage(callerPackage, list.get(i));
+        }
+    }
+
     // Overridden in unit tests to execute r synchronously.
     void injectPostToHandler(Runnable r) {
         mHandler.post(r);
@@ -1651,6 +1670,7 @@ public class ShortcutService extends IShortcutService.Stub {
         verifyCaller(packageName, userId);
 
         final List<ShortcutInfo> newShortcuts = (List<ShortcutInfo>) shortcutInfoList.getList();
+        verifyShortcutInfoPackages(packageName, newShortcuts);
         final int size = newShortcuts.size();
 
         synchronized (mLock) {
@@ -1702,6 +1722,7 @@ public class ShortcutService extends IShortcutService.Stub {
         verifyCaller(packageName, userId);
 
         final List<ShortcutInfo> newShortcuts = (List<ShortcutInfo>) shortcutInfoList.getList();
+        verifyShortcutInfoPackages(packageName, newShortcuts);
         final int size = newShortcuts.size();
 
         synchronized (mLock) {
@@ -1782,6 +1803,7 @@ public class ShortcutService extends IShortcutService.Stub {
         verifyCaller(packageName, userId);
 
         final List<ShortcutInfo> newShortcuts = (List<ShortcutInfo>) shortcutInfoList.getList();
+        verifyShortcutInfoPackages(packageName, newShortcuts);
         final int size = newShortcuts.size();
 
         synchronized (mLock) {
author	Atanas Kirilov <akirilov@google.com>	2018-06-27 23:29:41 +0000
committer	Android (Google) Code Review <android-gerrit@google.com>	2018-06-27 23:29:41 +0000
commit	75b5dc8fb91c69cb4d94274dc4e6f5a6aaeb457d (patch)
tree	6908964db77b7e36d6373097db9a20ac6fe29e0e
parent	3d38ba1f9bb53c3695a27f242feb28a3f5e56040 (diff)
parent	06848a3f8fa0b815d13d339c676191f6ebc50d33 (diff)