diff options
| author | 2023-05-25 21:58:19 +0000 | |
|---|---|---|
| committer | 2023-06-01 16:25:07 +0000 | |
| commit | f043c230b6e50494e92eab51433ab67b322da2f5 (patch) | |
| tree | be1f3ffc71c064c50ea86ab31b33275bdc2597a5 /packages/Shell/src | |
| parent | 36bf22cf4995bc09754b740e085f4331f01415da (diff) | |
Resolve StatusHints image exploit across user.
Because of the INTERACT_ACROSS_USERS permission, an app that implements
a ConnectionService can upload an image icon belonging to another user
by setting it in the StatusHints. Validating the construction of the
StatusHints on the calling user would prevent a malicious app from
registering a connection service with the embedded image icon from a
different user.
From additional feedback, this CL also addresses potential
vulnerabilities in an app being able to directly invoke the binder for a
means to manipulate the contents of the bundle that are passed with it.
The targeted points of entry are in ConnectionServiceWrapper for the
following APIs: handleCreateConnectionComplete, setStatusHints,
addConferenceCall, and addExistingConnection.
Fixes: 280797684
Test: Manual (verified that original exploit is no longer an issue).
Test: Unit test for validating image in StatusHints constructor.
Test: Unit tests to address vulnerabilities via the binder.
Change-Id: I6e70e238b3a5ace1cab41ec5796a6bb4d79769f2
Merged-In: I6e70e238b3a5ace1cab41ec5796a6bb4d79769f2
Diffstat (limited to 'packages/Shell/src')
0 files changed, 0 insertions, 0 deletions