Skip to content
Permalink
Browse files Browse the repository at this point in the history
Fixed #3583 Pending Intent vulnerability
  • Loading branch information
shai-almog committed Apr 23, 2022
1 parent 79a8e37 commit dad49c9
Show file tree
Hide file tree
Showing 5 changed files with 54 additions and 31 deletions.
Expand Up @@ -775,7 +775,36 @@ private static PushActionCategory[] getInstalledPushActionCategories(Context con
}
return out.toArray(new PushActionCategory[out.size()]);
}


public static PendingIntent createPendingIntent(Context ctx, int value, Intent intent) {
if (android.os.Build.VERSION.SDK_INT >= 23) {
// PendingIntent.FLAG_IMMUTABLE
return PendingIntent.getActivity(ctx, value, newIntent, 67108864);
} else {
return PendingIntent.getActivity(ctx, value, newIntent, PendingIntent.FLAG_CANCEL_CURRENT);
}
}

public static PendingIntent getPendingIntent(Context ctx, int value, Intent intent) {
if (android.os.Build.VERSION.SDK_INT >= 23) {
// PendingIntent.FLAG_IMMUTABLE
return PendingIntent.getService(ctx, value, newIntent, 67108864);
} else {
return PendingIntent.getService(ctx, value, newIntent, PendingIntent.FLAG_CANCEL_CURRENT);
}
PendingIntent.getService
}

public static PendingIntent getBroadcastPendingIntent(Context ctx, int value, Intent intent) {
if (android.os.Build.VERSION.SDK_INT >= 23) {
// PendingIntent.FLAG_IMMUTABLE
return PendingIntent.getBroadcast(ctx, value, newIntent, 67108864);
} else {
return PendingIntent.getBroadcast(ctx, value, newIntent, PendingIntent.FLAG_CANCEL_CURRENT);
}
PendingIntent.getService
}

/**
* Adds actions to a push notification. This is called by the Push broadcast receiver probably before
* Codename One is initialized
Expand Down Expand Up @@ -811,7 +840,7 @@ public static void addActionsToNotification(PushActionsProvider provider, String
for (PushAction action : category.getActions()) {
Intent newIntent = (Intent)targetIntent.clone();
newIntent.putExtra("pushActionId", action.getId());
PendingIntent contentIntent = PendingIntent.getActivity(context, requestCode++, newIntent, PendingIntent.FLAG_CANCEL_CURRENT);
PendingIntent contentIntent = createPendingIntent(context, requestCode++, newIntent);
try {
int iconId = 0;
try { iconId = Integer.parseInt(action.getIcon());} catch (Exception ex){}
Expand Down Expand Up @@ -7093,7 +7122,7 @@ public Object notifyStatusBar(String tickerText, String contentTitle,

Intent notificationIntent = new Intent();
notificationIntent.setComponent(activityComponentName);
PendingIntent contentIntent = PendingIntent.getActivity(getContext(), 0, notificationIntent, 0);
PendingIntent contentIntent = createPendingIntent(getContext(), 0, notificationIntent);


NotificationCompat.Builder builder = new NotificationCompat.Builder(getContext())
Expand Down Expand Up @@ -10416,20 +10445,19 @@ public void scheduleLocalNotification(LocalNotification notif, long firstTime, i
//intent.putExtra("backgroundClass", getBackgroundLocationListener().getName());
//an ugly workaround to the putExtra bug
intent.setData(Uri.parse("http://codenameone.com/a?" + getBackgroundFetchListener().getClass().getName()));
PendingIntent pendingIntent = PendingIntent.getService(context, 0,
intent,
PendingIntent.FLAG_UPDATE_CURRENT);
PendingIntent pendingIntent = getPendingIntent(context, 0,
intent);
notificationIntent.putExtra(LocalNotificationPublisher.BACKGROUND_FETCH_INTENT, pendingIntent);

} else {
contentIntent.setData(Uri.parse("http://codenameone.com/a?LocalNotificationID="+Uri.encode(notif.getId())));
}
PendingIntent pendingContentIntent = PendingIntent.getActivity(getContext(), 0, contentIntent, PendingIntent.FLAG_UPDATE_CURRENT);
PendingIntent pendingContentIntent = createPendingIntent(getContext(), 0, contentIntent);

notificationIntent.putExtra(LocalNotificationPublisher.NOTIFICATION_INTENT, pendingContentIntent);


PendingIntent pendingIntent = PendingIntent.getBroadcast(getContext(), 0, notificationIntent, PendingIntent.FLAG_UPDATE_CURRENT);
PendingIntent pendingIntent = getBroadcastPendingIntent(getContext(), 0, notificationIntent);

AlarmManager alarmManager = (AlarmManager) getContext().getSystemService(Context.ALARM_SERVICE);
if (BACKGROUND_FETCH_NOTIFICATION_ID.equals(notif.getId())) {
Expand Down Expand Up @@ -10462,7 +10490,7 @@ public void cancelLocalNotification(String notificationId) {
Intent notificationIntent = new Intent(getContext(), LocalNotificationPublisher.class);
notificationIntent.setAction(getContext().getApplicationInfo().packageName + "." + notificationId);

PendingIntent pendingIntent = PendingIntent.getBroadcast(getContext(), 0, notificationIntent, PendingIntent.FLAG_UPDATE_CURRENT);
PendingIntent pendingIntent = getBroadcastPendingIntent(getContext(), 0, notificationIntent);
AlarmManager alarmManager = (AlarmManager) getContext().getSystemService(Context.ALARM_SERVICE);
alarmManager.cancel(pendingIntent);
}
Expand Down
Expand Up @@ -428,15 +428,15 @@ public boolean isBackground() {
public void registerForPush(String key) {
Intent registrationIntent = new Intent("com.google.android.c2dm.intent.REGISTER");
registrationIntent.setPackage("com.google.android.gms");
registrationIntent.putExtra("app", PendingIntent.getBroadcast(this, 0, new Intent(), 0)); // boilerplate
registrationIntent.putExtra("app", AndroidImplementation.getBroadcastPendingIntent(this, 0, new Intent())); // boilerplate
registrationIntent.putExtra("sender", key);
startService(registrationIntent);
}

public void stopReceivingPush() {
Intent unregIntent = new Intent("com.google.android.c2dm.intent.UNREGISTER");
unregIntent.setPackage("com.google.android.gms");
unregIntent.putExtra("app", PendingIntent.getBroadcast(this, 0, new Intent(), 0));
unregIntent.putExtra("app", AndroidImplementation.getBroadcastPendingIntent(this, 0, new Intent()));
startService(unregIntent);
}

Expand Down
Expand Up @@ -103,7 +103,8 @@ public void onDestroy() {

public abstract PushCallback getPushCallbackInstance();
public abstract Class getStubClass();



@Override
public void push(final String value) {
final PushCallback callback = getPushCallbackInstance();
Expand All @@ -116,7 +117,7 @@ public void run() {
} else {
NotificationManager nm = (NotificationManager)getSystemService(NOTIFICATION_SERVICE);
Intent newIntent = new Intent(this, getStubClass());
PendingIntent contentIntent = PendingIntent.getActivity(this, 0, newIntent, PendingIntent.FLAG_CANCEL_CURRENT);
PendingIntent contentIntent = AndroidImplementation.createPendingIntent(this, 0, newIntent);



Expand Down
Expand Up @@ -189,9 +189,8 @@ public void run() {
if (bgListenerClass != null) {
intent.setData(Uri.parse("http://codenameone.com/a?" + bgListenerClass.getName()));
}
PendingIntent pendingIntent = PendingIntent.getService(context, 0,
intent,
PendingIntent.FLAG_UPDATE_CURRENT);
PendingIntent pendingIntent = AndroidImplementation.getPendingIntent(context, 0,
intent);
inMemoryBackgroundLocationListener = AndroidLocationPlayServiceManager.this;


Expand Down Expand Up @@ -228,16 +227,15 @@ private PendingIntent createBackgroundPendingIntent(boolean forceService) {
Intent intent = new Intent(context, BackgroundLocationBroadcastReceiver.class);
intent.setData(Uri.parse("http://codenameone.com/a?" + bgListenerClass.getName()));
intent.setAction(BackgroundLocationBroadcastReceiver.ACTION_PROCESS_UPDATES);
PendingIntent pendingIntent = PendingIntent.getBroadcast(context, 0, intent, PendingIntent.FLAG_UPDATE_CURRENT);
PendingIntent pendingIntent = AndroidImplementation.getBroadcastPendingIntent(context, 0, intent);
return pendingIntent;
} else {


Intent intent = new Intent(context, BackgroundLocationHandler.class);
intent.setData(Uri.parse("http://codenameone.com/a?" + bgListenerClass.getName()));
PendingIntent pendingIntent = PendingIntent.getService(context, 0,
intent,
PendingIntent.FLAG_UPDATE_CURRENT);
PendingIntent pendingIntent = AndroidImplementation.getPendingIntent(context, 0,
intent);
return pendingIntent;
}
}
Expand Down Expand Up @@ -290,9 +288,8 @@ public void run() {
if (bgListenerClass != null) {
intent.putExtra("backgroundClass", bgListenerClass.getName());
}
PendingIntent pendingIntent = PendingIntent.getService(context, 0,
intent,
PendingIntent.FLAG_UPDATE_CURRENT);
PendingIntent pendingIntent = AndroidImplementation.getPendingIntent(context, 0,
intent);

//LocationServices.FusedLocationApi.removeLocationUpdates(getmGoogleApiClient(), pendingIntent);
removeLocationUpdates(context, pendingIntent);
Expand Down Expand Up @@ -481,16 +478,15 @@ private PendingIntent createGeofencePendingIntent(Class geofenceListenerClass, c
intent.setAction(BackgroundLocationBroadcastReceiver.ACTION_PROCESS_GEOFENCE_TRANSITIONS);
intent.setData(Uri.parse("http://codenameone.com/a?" + geofenceListenerClass.getName()));
//intent.setAction(BackgroundLocationBroadcastReceiver.ACTION_PROCESS_GEOFENCE_TRANSITIONS);
geofencePendingIntent = PendingIntent.getBroadcast(AndroidNativeUtil.getContext().getApplicationContext(), 0, intent, PendingIntent.FLAG_UPDATE_CURRENT);
geofencePendingIntent = AndroidImplementation.getBroadcastPendingIntent(AndroidNativeUtil.getContext().getApplicationContext(), 0, intent);
return geofencePendingIntent;
} else {

Intent intent = new Intent(context, GeofenceHandler.class);
intent.putExtra("geofenceClass", geofenceListenerClass.getName());
intent.putExtra("geofenceID", gf.getId());
PendingIntent pendingIntent = PendingIntent.getService(context, 0,
intent,
PendingIntent.FLAG_UPDATE_CURRENT);
PendingIntent pendingIntent = AndroidImplementation.getPendingIntent(context, 0,
intent);


return pendingIntent;
Expand Down
Expand Up @@ -53,6 +53,7 @@

import android.text.TextUtils;

import com.codename1.impl.android.AndroidImplementation;
import com.codename1.ui.Display;


Expand Down Expand Up @@ -267,9 +268,6 @@ void showPausedNotification() {
}





private void initMediaSession() {
ComponentName mediaButtonReceiver = new ComponentName(getApplicationContext(), MediaButtonReceiver.class);
mMediaSessionCompat = new MediaSessionCompat(getApplicationContext(), "Tag", mediaButtonReceiver, null);
Expand All @@ -279,7 +277,7 @@ private void initMediaSession() {

Intent mediaButtonIntent = new Intent(Intent.ACTION_MEDIA_BUTTON);
mediaButtonIntent.setClass(this, MediaButtonReceiver.class);
PendingIntent pendingIntent = PendingIntent.getBroadcast(this, 0, mediaButtonIntent, 0);
PendingIntent pendingIntent = AndroidImplementation.getBroadcastPendingIntent(this, 0, mediaButtonIntent);
mMediaSessionCompat.setMediaButtonReceiver(pendingIntent);

setSessionToken(mMediaSessionCompat.getSessionToken());
Expand Down

0 comments on commit dad49c9

Please sign in to comment.