diff options
author | Hongming Jin <hongmingjin@google.com> | 2016-07-29 14:29:54 -0700 |
---|---|---|
committer | The Android Automerger <android-build@android.com> | 2016-09-27 00:15:58 -0700 |
commit | fecfd550edeca422c0d9f32a9c0abe73398a1ff1 (patch) | |
tree | 4ddc10eaa47e4cd7d6647291bca96a728cd3723c | |
parent | 16024ea7c4bae08c972cf6b3734029aad33e8870 (diff) | |
download | base-fecfd550edeca422c0d9f32a9c0abe73398a1ff1.tar.gz |
Only return password for account session flow if the caller is signed
with system key and have get_password permission.
Bug: 30455516
Change-Id: I78484c59e4de1dff685ab91a0a8e7a756fffd9bf
(cherry picked from commit 9342e137c68e9d31e61b774f7a6583ed5f8353f9)
-rw-r--r-- | core/java/android/accounts/AccountManager.java | 4 | ||||
-rw-r--r-- | services/core/java/com/android/server/accounts/AccountManagerService.java | 12 |
2 files changed, 6 insertions, 10 deletions
diff --git a/core/java/android/accounts/AccountManager.java b/core/java/android/accounts/AccountManager.java index 7465ed92e469..d3551b73cf3f 100644 --- a/core/java/android/accounts/AccountManager.java +++ b/core/java/android/accounts/AccountManager.java @@ -2676,8 +2676,6 @@ public class AccountManager { * <ul> * <li>{@link #KEY_ACCOUNT_SESSION_BUNDLE} - encrypted Bundle for * adding the the to the device later. - * <li>{@link #KEY_PASSWORD} - optional, the password or password - * hash of the account. * <li>{@link #KEY_ACCOUNT_STATUS_TOKEN} - optional, token to check * status of the account * </ul> @@ -2765,8 +2763,6 @@ public class AccountManager { * <ul> * <li>{@link #KEY_ACCOUNT_SESSION_BUNDLE} - encrypted Bundle for * updating the local credentials on device later. - * <li>{@link #KEY_PASSWORD} - optional, the password or password - * hash of the account * <li>{@link #KEY_ACCOUNT_STATUS_TOKEN} - optional, token to check * status of the account * </ul> diff --git a/services/core/java/com/android/server/accounts/AccountManagerService.java b/services/core/java/com/android/server/accounts/AccountManagerService.java index f7bd04b08ede..747ddc255bf6 100644 --- a/services/core/java/com/android/server/accounts/AccountManagerService.java +++ b/services/core/java/com/android/server/accounts/AccountManagerService.java @@ -2671,10 +2671,9 @@ public class AccountManagerService boolean isPasswordForwardingAllowed = isPermitted( callerPkg, uid, Manifest.permission.GET_PASSWORD); - int usrId = UserHandle.getCallingUserId(); long identityToken = clearCallingIdentity(); try { - UserAccounts accounts = getUserAccounts(usrId); + UserAccounts accounts = getUserAccounts(userId); logRecordWithUid(accounts, DebugDbHelper.ACTION_CALLED_START_ACCOUNT_ADD, TABLE_ACCOUNTS, uid); new StartAccountSession( @@ -2735,10 +2734,6 @@ public class AccountManagerService checkKeyIntent( Binder.getCallingUid(), intent); - // Omit passwords if the caller isn't permitted to see them. - if (!mIsPasswordForwardingAllowed) { - result.remove(AccountManager.KEY_PASSWORD); - } } IAccountManagerResponse response; if (mExpectActivityLaunch && result != null @@ -2768,6 +2763,11 @@ public class AccountManagerService return; } + // Omit passwords if the caller isn't permitted to see them. + if (!mIsPasswordForwardingAllowed) { + result.remove(AccountManager.KEY_PASSWORD); + } + // Strip auth token from result. result.remove(AccountManager.KEY_AUTHTOKEN); |