DO NOT MERGE. KEY_INTENT shouldn't grant permissions.

KEY_INTENT has no business granting any Uri permissions, so remove any grant flags that malicious apps may have tried sneaking in. Test: builds, boots Bug: 32990341, 32879915 Change-Id: I657455a770c81f045ccce6abbd2291407a1cfb42
author: Jeff Sharkey <jsharkey@android.com> 2017-06-12 17:33:07 -0600
committer: Jeff Sharkey <jsharkey@google.com> 2017-10-03 21:47:15 +0000
commit: ca7ffa06bc0304eaea942d77e3db60af77bcd2ad (patch)
tree: fd02f5cfe4e156a639f0fbf4e66d63970a3d60a2
parent: 0595b5a94b222ca399ee17c7d672302beb0c5eb4 (diff)
1 files changed, 10 insertions, 0 deletions
diff --git a/services/core/java/com/android/server/accounts/AccountManagerService.java b/services/core/java/com/android/server/accounts/AccountManagerService.java
index d480f68bfe3b..e5fa73c5839f 100644
--- a/services/core/java/com/android/server/accounts/AccountManagerService.java
+++ b/services/core/java/com/android/server/accounts/AccountManagerService.java
@@ -1669,6 +1669,11 @@ public class AccountManagerService
 
                         Intent intent = result.getParcelable(AccountManager.KEY_INTENT);
                         if (intent != null && notifyOnAuthFailure && !customTokens) {
+                            intent.setFlags(
+                                    intent.getFlags() & ~(Intent.FLAG_GRANT_READ_URI_PERMISSION
+                                            | Intent.FLAG_GRANT_WRITE_URI_PERMISSION
+                                            | Intent.FLAG_GRANT_PERSISTABLE_URI_PERMISSION
+                                            | Intent.FLAG_GRANT_PREFIX_URI_PERMISSION));
                             doNotification(mAccounts,
                                     account, result.getString(AccountManager.KEY_AUTH_FAILED_MESSAGE),
                                     intent, accounts.userId);
@@ -2563,6 +2568,11 @@ public class AccountManagerService
             Intent intent = null;
             if (result != null
                     && (intent = result.getParcelable(AccountManager.KEY_INTENT)) != null) {
+                intent.setFlags(
+                        intent.getFlags() & ~(Intent.FLAG_GRANT_READ_URI_PERMISSION
+                                | Intent.FLAG_GRANT_WRITE_URI_PERMISSION
+                                | Intent.FLAG_GRANT_PERSISTABLE_URI_PERMISSION
+                                | Intent.FLAG_GRANT_PREFIX_URI_PERMISSION));
                 /*
                  * The Authenticator API allows third party authenticators to
                  * supply arbitrary intents to other apps that they can run,
author	Jeff Sharkey <jsharkey@android.com>	2017-06-12 17:33:07 -0600
committer	Jeff Sharkey <jsharkey@google.com>	2017-10-03 21:47:15 +0000
commit	ca7ffa06bc0304eaea942d77e3db60af77bcd2ad (patch)
tree	fd02f5cfe4e156a639f0fbf4e66d63970a3d60a2
parent	0595b5a94b222ca399ee17c7d672302beb0c5eb4 (diff)