[DO NOT MERGE] Verify URI Permissions in Autofill RemoteViews
Check permissions of URI inside of FillResponse's RemoteViews. If the current user does not have the required permissions to view the URI, the RemoteView is dropped from displaying. This fixes a security spill in which a user can view content of another user through a malicious Autofill provider. Bug: 283137865 Fixes: b/283264674 b/281666022 b/281665050 b/281848557 b/281533566 b/281534749 b/283101289 Test: Verified by POC app attached in bugs Test: atest CtsAutoFillServiceTestCases (added new tests) Change-Id: I6f4d2a35e89bbed7bd9e07bf5cd3e2d68b20af9a Merged-In: I6f4d2a35e89bbed7bd9e07bf5cd3e2d68b20af9a
Loading
Please register or sign in to comment