FPII-2481: Elevation of privilege vulnerability in AOSP Launcher CVE-2016-6716 A-30778130
Backport of fix for A-30778130 based a commit from Sunny Goyal <sunnygoyal@google.com>
Changes to the original commit: Droped tests that are only necessary for
Marshmellow or newer and changed the way how LauncherActivities are identified.
Original commit message:
Preventing a shortcut which requires permissions from being added to
homescreen
A shortcut can be added by any app as INSTALL_SHORTCUT is a normal
level permission. But the intent is actually launched by the launcher
app which can have other permission as well.
> When adding a shortcut from the broadcast, verify that the intent does
not require any permission
> When adding a shortcut using the two-step drop process, verify that
the source app also has the permission to create such a shortcut
Bug: 30778130
Change-Id: I33a391bc0af81248aaff4459aaa79d1adc77926b
(cherry picked from commit fb5096d07bb3bb59fd4b5db6b68613030169b4bd)
(cherry picked from commit 116d34bc634cfe12ffa2f291df286629d5abdcfd)
3 files changed
