From 496764cae89759be0374bf5ed8bd05deb41b72ff Mon Sep 17 00:00:00 2001 From: Ricardo Cerqueira Date: Wed, 26 Jun 2013 11:48:13 +0100 Subject: AssetRedirectionManager: Accept redirections only for whitelisted resource types Change-Id: Idf1ea739a81719b6a196f0114c9fc3b7c7ff428c --- .../server/AssetRedirectionManagerService.java | 23 ++++++++++++++++++++++ 1 file changed, 23 insertions(+) (limited to 'services') diff --git a/services/java/com/android/server/AssetRedirectionManagerService.java b/services/java/com/android/server/AssetRedirectionManagerService.java index 3a62de0..ebe5a0f 100644 --- a/services/java/com/android/server/AssetRedirectionManagerService.java +++ b/services/java/com/android/server/AssetRedirectionManagerService.java @@ -375,14 +375,37 @@ public class AssetRedirectionManagerService extends IAssetRedirectionManager.Stu } } + /* Limit themeability to well-known visual resource types. Strings, booleans, integers, + and other resource types are very likely to be internal to applications or the system, + and should not be overridden */ + + private boolean checkAllowedResType(String name) { + String allowedResourceTypes[] = { "color", "dimen", "drawable", "mipmap", "style" }; + + for (String resType : allowedResourceTypes) { + if (name.startsWith(resType)) { + return true; + } + } + return false; + } + private void processItemTag() throws XmlPullParserException, IOException { XmlPullParser parser = mParser; String fromName = parser.getAttributeValue(null, "name"); + if (TextUtils.isEmpty(fromName)) { Log.w(TAG, "Missing android:name attribute on tag at " + getResourceLabel() + " " + parser.getPositionDescription()); return; } + + if (!checkAllowedResType(fromName)) { + Log.w(TAG, "Attempting to redirect unauthorized resource " + fromName + " at " + getResourceLabel() + " " + + parser.getPositionDescription()); + return; + } + String toName = parser.nextText(); if (TextUtils.isEmpty(toName)) { Log.w(TAG, "Missing text at " + getResourceLabel() + " " + -- cgit v1.1