[DO NOT MERGE] Verify URI Permissions in Autofill RemoteViews - platform/frameworks/base

diff options

author	Tim Yu <yunicorn@google.com>	2023-06-20 21:24:36 +0000
committer	Tim Yu <yunicorn@google.com>	2023-07-10 19:53:35 +0000
commit	93810ba1c0a4d31f49adbf9454731e2b7defdfc0 (patch)
tree	482fe396bf2cf3f4a856e90806964a048e890e9d /libs/input/PointerController.cpp
parent	9c0d0d918f0f41bbd3fbd7694d1f2d7f98b24a1c (diff)

[DO NOT MERGE] Verify URI Permissions in Autofill RemoteViews

Check permissions of URI inside of FillResponse's RemoteViews. If the current user does not have the required permissions to view the URI, the RemoteView is dropped from displaying. This fixes a security spill in which a user can view content of another user through a malicious Autofill provider. Bug: 283137865 Fixes: b/283264674 b/281666022 b/281665050 b/281848557 b/281533566 b/281534749 b/283101289 Test: Verified by POC app attached in bugs Test: atest CtsAutoFillServiceTestCases (added new tests) Change-Id: I6f4d2a35e89bbed7bd9e07bf5cd3e2d68b20af9a Merged-In: I6f4d2a35e89bbed7bd9e07bf5cd3e2d68b20af9a

Diffstat (limited to 'libs/input/PointerController.cpp')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: