Fix issue #22860466: viapi security bug - rubber stamping in nested VIs

The settings activities that get launched directly by voice now
protect themselves to only execute if they were actually directly
launched by the voice interaction service, rather than allowing
any activity currently under voice control to abuse them.

Note the original code also allowed them to execute regardless of
whether they were running under voice, since it allowed for a null
saved state.  I assume that was a mistake, so have removed it.

Change-Id: Ib2269a7ee13016d300afba7fa257bfaca8990fab

diff --git a/src/com/android/settings/utils/VoiceSettingsActivity.java b/src/com/android/settings/utils/VoiceSettingsActivity.java
index 4477e92..d8a00c7 100644 (file)
--- a/src/com/android/settings/utils/VoiceSettingsActivity.java
+++ b/src/com/android/settings/utils/VoiceSettingsActivity.java
@@ -41,7 +41,7 @@ abstract public class VoiceSettingsActivity extends Activity {
     public void onCreate(Bundle savedInstanceState) {
         super.onCreate(savedInstanceState);
 
-        if (isVoiceInteraction() || savedInstanceState == null) {
+        if (isVoiceInteractionRoot()) {
             // Only permit if this is a voice interaction.
             if (onVoiceSettingInteraction(getIntent())) {
                 // If it's complete, finish.
@@ -60,7 +60,7 @@ abstract public class VoiceSettingsActivity extends Activity {
     abstract protected boolean onVoiceSettingInteraction(Intent intent);
 
     /**
-     * Send a notification that the interaction was successful. If {@link prompt} is
+     * Send a notification that the interaction was successful. If {@param prompt} is
      * not null, then it will be read to the user.
      */
     protected void notifySuccess(CharSequence prompt) {