Fix security issue in bindRemoteViewsService

-> Enforce that the passed intent's component belongs to the same package as the passed AppWidget id. issue 15287902 Change-Id: Ic85c38d399fe1cbb6f7efa844ae0f5367a1906ed
author: Adam Cohen <adamcohen@google.com> 2014-05-27 16:53:03 -0700
committer: Adam Cohen <adamcohen@google.com> 2014-05-27 17:23:58 -0700
commit: 1c5bffbf5bae6762c8df07350abca61e460653bb (patch)
tree: d0cbf5bd3cdcc31ebb5b1990662a150218ae1c94 /services/appwidget
parent: 1218c3134c9d72523d5f1fe456a163670bfa4435 (diff)
download: frameworks_base-1c5bffbf5bae6762c8df07350abca61e460653bb.zip
frameworks_base-1c5bffbf5bae6762c8df07350abca61e460653bb.tar.gz
frameworks_base-1c5bffbf5bae6762c8df07350abca61e460653bb.tar.bz2
1 files changed, 9 insertions, 0 deletions
diff --git a/services/appwidget/java/com/android/server/appwidget/AppWidgetServiceImpl.java b/services/appwidget/java/com/android/server/appwidget/AppWidgetServiceImpl.java
index 87b1d32..7a67d63 100644
--- a/services/appwidget/java/com/android/server/appwidget/AppWidgetServiceImpl.java
+++ b/services/appwidget/java/com/android/server/appwidget/AppWidgetServiceImpl.java
@@ -843,6 +843,15 @@ class AppWidgetServiceImpl {
                 throw new IllegalArgumentException("Unknown component " + componentName);
             }
 
+            // Ensure that the service specified by the passed intent belongs to the same package
+            // as provides the passed widget id.
+            String widgetIdPackage = id.provider.info.provider.getPackageName();
+            String servicePackage = componentName.getPackageName();
+            if (!servicePackage.equals(widgetIdPackage)) {
+                throw new SecurityException("Specified intent doesn't belong to the same package"
+                        + " as the provided AppWidget id");
+            }
+
             // If there is already a connection made for this service intent, then disconnect from
             // that first. (This does not allow multiple connections to the same service under
             // the same key)
author	Adam Cohen <adamcohen@google.com>	2014-05-27 16:53:03 -0700
committer	Adam Cohen <adamcohen@google.com>	2014-05-27 17:23:58 -0700
commit	1c5bffbf5bae6762c8df07350abca61e460653bb (patch)
tree	d0cbf5bd3cdcc31ebb5b1990662a150218ae1c94 /services/appwidget
parent	1218c3134c9d72523d5f1fe456a163670bfa4435 (diff)
download	frameworks_base-1c5bffbf5bae6762c8df07350abca61e460653bb.zip frameworks_base-1c5bffbf5bae6762c8df07350abca61e460653bb.tar.gz frameworks_base-1c5bffbf5bae6762c8df07350abca61e460653bb.tar.bz2