Skip to content
This repository has been archived by the owner on Jan 14, 2022. It is now read-only.

Prevent abuse of intents #375

Merged
merged 2 commits into from
Jan 25, 2015
Merged

Prevent abuse of intents #375

merged 2 commits into from
Jan 25, 2015

Conversation

steven676
Copy link
Contributor

The patches in this series address the problem pointed out by @daoyuan14 in #374: the use of intent filters on activity aliases isn't sufficient to prevent outside users from triggering an intent if those intents are implemented by public, unprotected components. Specifically:

  • Patch 1 (5112961) closes the security hole reported in #374 by moving RUN_SCRIPT handling into its own activity, ensuring that outside users cannot bypass the permssion check by explicitly targeting the main RemoteInterface.
  • Patch 2 (1c57509) protects a couple of internal-use-only intents in the Term activity from outside use by ignoring invocations that don't target the non-exported TermInternal alias. The impact of any potential mischief here is relatively low (I was unable to do more than change the current window, though I wouldn't put a crash completely beyond the realm of possibility), but this patch should be fairly low-risk (the only legitimate user of these intents is the remote interface, and that should be completely broken if this patch were to break things).

Lightly tested on a handful of emulators and a phone running 4.4.

@steven676
Split RUN_SCRIPT handling out into its own activity
5112961 
We currently use intent filters to direct jackpal.androidterm.RUN_SCRIPT
actions to the RunScript activity, which is gated in the manifest by the
permission jackpal.androidterm.permission.RUN_SCRIPT.  However,
RunScript is an alias for the RemoteInterface activity, which is exposed
without the permission requirement; because applications are permitted to
explicitly specify a component when sending an intent, this allows an
application to trigger a RUN_SCRIPT action without having the
corresponding permission.

Fix this by removing RUN_SCRIPT handling from RemoteInterface and
creating a new RunScript activity (a subclass of RemoteInterface) to
handle RUN_SCRIPT actions.  Any scripts supplied by callers to
RemoteInterface will now be ignored, though the call will open a new
terminal window.

Thanks to Daoyuan Wu for reporting and analyzing the issue.  Fixes #374.
@steven676
Term: ignore invalid attempts to use private intents
1c57509 
The main Term activity implements a set of private intents for use by
the remote interfaces.  These are only supposed to be used via the
TermInternal activity alias, which is private to TEA, but it's possible
for another application to invoke these on the main Term activity by
explicitly specifying a component name (as in #374).  It should not be
possible to do more than crash TEA via these intents, but let's prevent
outside applications from using them anyway by ignoring requests which
don't come via the TermInternal alias.
@jackpal jackpal merged commit 1c57509 into jackpal:master Jan 25, 2015
@jackpal
Copy link
Owner

jackpal commented Jan 25, 2015

Thanks! I'll try to get a new release out today with this fix.

@VinnieBII
Copy link

Need Internet Network Security!

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
3 participants
@steven676 @jackpal @VinnieBII