diff options
| author | Christopher Tate <ctate@google.com> | 2010-04-21 18:15:44 -0700 |
|---|---|---|
| committer | Android Git Automerger <android-git-automerger@android.com> | 2010-04-21 18:15:44 -0700 |
| commit | 7e93aad42d5f96e4e3a471e49384e1ce794c9411 (patch) | |
| tree | 330f67bbeb8f4f9bd9cb52a58b7fc4825080ae4b /services | |
| parent | f77fff4b4e904486bf25affde713294d40764e15 (diff) | |
| parent | 36fa47139d4621dc4bf8d89caa8650495d901b00 (diff) | |
| download | frameworks_base-7e93aad42d5f96e4e3a471e49384e1ce794c9411.zip frameworks_base-7e93aad42d5f96e4e3a471e49384e1ce794c9411.tar.gz frameworks_base-7e93aad42d5f96e4e3a471e49384e1ce794c9411.tar.bz2 | |
am 36fa4713: Merge "Fix security hole in Google backup transport registration" into froyo
Merge commit '36fa47139d4621dc4bf8d89caa8650495d901b00' into froyo-plus-aosp
* commit '36fa47139d4621dc4bf8d89caa8650495d901b00':
Fix security hole in Google backup transport registration
Diffstat (limited to 'services')
| -rw-r--r-- | services/java/com/android/server/BackupManagerService.java | 23 |
1 files changed, 19 insertions, 4 deletions
diff --git a/services/java/com/android/server/BackupManagerService.java b/services/java/com/android/server/BackupManagerService.java index 91dfaf3..d67dde0 100644 --- a/services/java/com/android/server/BackupManagerService.java +++ b/services/java/com/android/server/BackupManagerService.java @@ -479,10 +479,25 @@ class BackupManagerService extends IBackupManager.Stub { // Attach to the Google backup transport. When this comes up, it will set // itself as the current transport because we explicitly reset mCurrentTransport // to null. - Intent intent = new Intent().setComponent(new ComponentName( - "com.google.android.backup", - "com.google.android.backup.BackupTransportService")); - context.bindService(intent, mGoogleConnection, Context.BIND_AUTO_CREATE); + ComponentName transportComponent = new ComponentName("com.google.android.backup", + "com.google.android.backup.BackupTransportService"); + try { + // If there's something out there that is supposed to be the Google + // backup transport, make sure it's legitimately part of the OS build + // and not an app lying about its package name. + ApplicationInfo info = mPackageManager.getApplicationInfo( + transportComponent.getPackageName(), 0); + if ((info.flags & ApplicationInfo.FLAG_SYSTEM) != 0) { + if (DEBUG) Slog.v(TAG, "Binding to Google transport"); + Intent intent = new Intent().setComponent(transportComponent); + context.bindService(intent, mGoogleConnection, Context.BIND_AUTO_CREATE); + } else { + Slog.w(TAG, "Possible Google transport spoof: ignoring " + info); + } + } catch (PackageManager.NameNotFoundException nnf) { + // No such package? No binding. + if (DEBUG) Slog.v(TAG, "Google transport not present"); + } // Now that we know about valid backup participants, parse any // leftover journal files into the pending backup set |