commit 4be7c61a339f8200527f6df5a7b2215c96f81b4b
author Paul Lawrence <paullawrence@google.com> Thu Feb 27 11:24:05 2014 -0800
committer Android Git Automerger <android-git-automerger@android.com> Thu Feb 27 11:24:05 2014 -0800
tree d1b98f7f5e15c5e1fdef1dc196bd751a2e112a48
parent a1b89310d58df14570f7f6f5abb677c976c63a7a
parent 5677513b7c46ca08a7fa34b9d227d7a448db6757

am 5677513b: am da37ed8b: am b9ba0c6c: Prevent authenticators from using Settings to  launch arbitrary activities.

* commit '5677513b7c46ca08a7fa34b9d227d7a448db6757':
  Prevent authenticators from using Settings to  launch arbitrary activities.

core/java/android/accounts/AccountManagerService.java

diff --git a/core/java/android/accounts/AccountManagerService.java b/core/java/android/accounts/AccountManagerService.java
index 2b1a2b2..0490d8e 100644
--- a/core/java/android/accounts/AccountManagerService.java
+++ b/core/java/android/accounts/AccountManagerService.java
@@ -35,6 +35,7 @@
 import android.content.pm.PackageManager.NameNotFoundException;
 import android.content.pm.RegisteredServicesCache;
 import android.content.pm.RegisteredServicesCacheListener;
+import android.content.pm.ResolveInfo;
 import android.content.pm.UserInfo;
 import android.database.Cursor;
 import android.database.DatabaseUtils;
@@ -1799,9 +1800,31 @@
             }
         }
 
+        @Override
         public void onResult(Bundle result) {
             mNumResults++;
-            if (result != null && !TextUtils.isEmpty(result.getString(AccountManager.KEY_AUTHTOKEN))) {
+            Intent intent = null;
+            if (result != null
+                    && (intent = result.getParcelable(AccountManager.KEY_INTENT)) != null) {
+                /*
+                 * The Authenticator API allows third party authenticators to
+                 * supply arbitrary intents to other apps that they can run,
+                 * this can be very bad when those apps are in the system like
+                 * the System Settings.
+                 */
+                PackageManager pm = mContext.getPackageManager();
+                ResolveInfo resolveInfo = pm.resolveActivity(intent, 0);
+                int targetUid = resolveInfo.activityInfo.applicationInfo.uid;
+                int authenticatorUid = Binder.getCallingUid();
+                if (PackageManager.SIGNATURE_MATCH !=
+                        pm.checkSignatures(authenticatorUid, targetUid)) {
+                    throw new SecurityException(
+                            "Activity to be started with KEY_INTENT must " +
+                            "share Authenticator's signatures");
+                }
+            }
+            if (result != null
+                    && !TextUtils.isEmpty(result.getString(AccountManager.KEY_AUTHTOKEN))) {
                 String accountName = result.getString(AccountManager.KEY_ACCOUNT_NAME);
                 String accountType = result.getString(AccountManager.KEY_ACCOUNT_TYPE);
                 if (!TextUtils.isEmpty(accountName) && !TextUtils.isEmpty(accountType)) {