AssetRedirectionManager: Accept redirections only for whitelisted resource types

Change-Id: Idf1ea739a81719b6a196f0114c9fc3b7c7ff428c
author: Ricardo Cerqueira <cyanogenmod@cerqueira.org> 2013-06-26 11:48:13 +0100
committer: Ricardo Cerqueira <cyanogenmod@cerqueira.org> 2013-06-26 12:34:23 +0100
commit: 496764cae89759be0374bf5ed8bd05deb41b72ff (patch)
tree: cd5118fcf97dc3626fa6d169dc5b16c2832e9466 /services/java
parent: b14d53644cb4269adf4d0e344af5e7af3cd51974 (diff)
download: frameworks_base-496764cae89759be0374bf5ed8bd05deb41b72ff.zip
frameworks_base-496764cae89759be0374bf5ed8bd05deb41b72ff.tar.gz
frameworks_base-496764cae89759be0374bf5ed8bd05deb41b72ff.tar.bz2
1 files changed, 23 insertions, 0 deletions
diff --git a/services/java/com/android/server/AssetRedirectionManagerService.java b/services/java/com/android/server/AssetRedirectionManagerService.java
index 3a62de0..ebe5a0f 100644
--- a/services/java/com/android/server/AssetRedirectionManagerService.java
+++ b/services/java/com/android/server/AssetRedirectionManagerService.java
@@ -375,14 +375,37 @@ public class AssetRedirectionManagerService extends IAssetRedirectionManager.Stu
             }
         }
 
+        /* Limit themeability to well-known visual resource types. Strings, booleans, integers,
+           and other resource types are very likely to be internal to applications or the system,
+           and should not be overridden */
+
+        private boolean checkAllowedResType(String name) {
+            String allowedResourceTypes[] = { "color", "dimen", "drawable", "mipmap", "style" };
+
+            for (String resType : allowedResourceTypes) {
+                if (name.startsWith(resType)) {
+                    return true;
+                }
+            }
+            return false;
+        }
+
         private void processItemTag() throws XmlPullParserException, IOException {
             XmlPullParser parser = mParser;
             String fromName = parser.getAttributeValue(null, "name");
+
             if (TextUtils.isEmpty(fromName)) {
                 Log.w(TAG, "Missing android:name attribute on <item> tag at " + getResourceLabel() + " " +
                         parser.getPositionDescription());
                 return;
             }
+
+            if (!checkAllowedResType(fromName)) {
+                Log.w(TAG, "Attempting to redirect unauthorized resource " + fromName + " at " + getResourceLabel() + " " +
+                        parser.getPositionDescription());
+                return;
+            }
+
             String toName = parser.nextText();
             if (TextUtils.isEmpty(toName)) {
                 Log.w(TAG, "Missing <item> text at " + getResourceLabel() + " " +
author	Ricardo Cerqueira <cyanogenmod@cerqueira.org>	2013-06-26 11:48:13 +0100
committer	Ricardo Cerqueira <cyanogenmod@cerqueira.org>	2013-06-26 12:34:23 +0100
commit	496764cae89759be0374bf5ed8bd05deb41b72ff (patch)
tree	cd5118fcf97dc3626fa6d169dc5b16c2832e9466 /services/java
parent	b14d53644cb4269adf4d0e344af5e7af3cd51974 (diff)
download	frameworks_base-496764cae89759be0374bf5ed8bd05deb41b72ff.zip frameworks_base-496764cae89759be0374bf5ed8bd05deb41b72ff.tar.gz frameworks_base-496764cae89759be0374bf5ed8bd05deb41b72ff.tar.bz2