git.osdn.net Git - android-x86/frameworks-base.git/commit

author	Sterling Huber <hubers@google.com>
	Thu, 7 Nov 2019 19:04:03 +0000 (11:04 -0800)
committer	Manjae Park <manjaepark@google.com>
	Mon, 16 Dec 2019 20:47:23 +0000 (12:47 -0800)
commit	86fbde617077681ba03fd906871213d7b57c3e96
tree	bda7485f108c2b6857af1d98aa15cf612fb6a70c	tree \| snapshot
parent	d888bf2d052fd89fbeb70c7829f9d0c6406c2cdd	commit \| diff

RESTRICT AUTOMERGE
Make toasts non-clickable

Since enforcement was only on client-side, in Toast class, an app could
use reflection (or other means) to make the Toast clickable. This is a
security vulnerability since it allows tapjacking, that is, intercept touch
events and do stuff like steal PINs and passwords.

This CL brings the enforcement to the system by applying flag
FLAG_NOT_TOUCHABLE.

Test: atest CtsWindowManagetDeviceTestCases:ToastTest
Test: Construct app that uses reflection to remove flag FLAG_NOT_TOUCHABLE and
      log click events. Then:
      1) Observe click events are logged without this CL.
      2) Observer click events are not logged with this CL.
Bug: 128674520

Change-Id: Ica346c853dcb9a1e494f7143ba1c38d22c0003d0
(cherry picked from commit 6bf18c39d9fc727523fa3201567b836032bb2114)