From b0a78390ed834724e9c6adf0feff9931d7f9ec10 Mon Sep 17 00:00:00 2001
From: Svetoslav <svetoslavganov@google.com>
Date: Fri, 10 Apr 2015 17:25:35 -0700
Subject: Add a mechanism to make pending intents immutable.

bug:19618745

Change-Id: Ice742e0162cb9b7c0afbc32e0eea03d501666e2b
---
 .../com/android/server/appwidget/AppWidgetServiceImpl.java    | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

(limited to 'services/appwidget')

diff --git a/services/appwidget/java/com/android/server/appwidget/AppWidgetServiceImpl.java b/services/appwidget/java/com/android/server/appwidget/AppWidgetServiceImpl.java
index da11dad..f42aef1 100644
--- a/services/appwidget/java/com/android/server/appwidget/AppWidgetServiceImpl.java
+++ b/services/appwidget/java/com/android/server/appwidget/AppWidgetServiceImpl.java
@@ -674,7 +674,7 @@ class AppWidgetServiceImpl extends IAppWidgetService.Stub implements WidgetBacku
 
     @Override
     public IntentSender createAppWidgetConfigIntentSender(String callingPackage, int appWidgetId,
-            int intentFlags) {
+            final int intentFlags) {
         final int userId = UserHandle.getCallingUserId();
 
         if (DEBUG) {
@@ -701,18 +701,21 @@ class AppWidgetServiceImpl extends IAppWidgetService.Stub implements WidgetBacku
                 throw new IllegalArgumentException("Widget not bound " + appWidgetId);
             }
 
+            // Make sure only safe flags can be passed it.
+            final int secureFlags = intentFlags & ~Intent.IMMUTABLE_FLAGS;
+
             Intent intent = new Intent(AppWidgetManager.ACTION_APPWIDGET_CONFIGURE);
             intent.putExtra(AppWidgetManager.EXTRA_APPWIDGET_ID, appWidgetId);
             intent.setComponent(provider.info.configure);
-            intent.setFlags(intentFlags);
+            intent.setFlags(secureFlags);
 
             // All right, create the sender.
             final long identity = Binder.clearCallingIdentity();
             try {
                 return PendingIntent.getActivityAsUser(
                         mContext, 0, intent, PendingIntent.FLAG_ONE_SHOT
-                                | PendingIntent.FLAG_CANCEL_CURRENT, null,
-                                new UserHandle(provider.getUserId()))
+                                | PendingIntent.FLAG_IMMUTABLE | PendingIntent.FLAG_CANCEL_CURRENT,
+                                null, new UserHandle(provider.getUserId()))
                         .getIntentSender();
             } finally {
                 Binder.restoreCallingIdentity(identity);
-- 
cgit v1.1