Merge "LatinIME: Fix Implicit PendingIntent Vulnerability" into main am: 1b3568f am: fee42b3

Original change: https://android-review.googlesource.com/c/platform/packages/inputmethods/LatinIME/+/3019664

Change-Id: Ic393ce61210263a49384bbdd232a49e1ef10ae13
Signed-off-by: Automerger Merge Worker <[email protected]>

Author: Treehugger Robot

java/src/com/android/inputmethod/dictionarypack/DictionaryService.java

@@ -229,8 +229,14 @@ private static void checkTimeAndMaybeSetupUpdateAlarm(final Context context) {
         final long now = System.currentTimeMillis();
         final long alarmTime = now + new Random().nextInt(MAX_ALARM_DELAY_MILLIS);
         final Intent updateIntent = new Intent(DictionaryPackConstants.UPDATE_NOW_INTENT_ACTION);
+        // Set the package name to ensure the PendingIntent is only delivered to trusted components
+        updateIntent.setPackage(context.getPackageName());
+        int pendingIntentFlags = PendingIntent.FLAG_CANCEL_CURRENT;
+        if (android.os.Build.VERSION.SDK_INT >= 23) {
+            pendingIntentFlags |= PendingIntent.FLAG_IMMUTABLE;
+        }
         final PendingIntent pendingIntent = PendingIntent.getBroadcast(context, 0,
-                updateIntent, PendingIntent.FLAG_CANCEL_CURRENT);
+                updateIntent, pendingIntentFlags);
 
         // We set the alarm in the type that doesn't forcefully wake the device
         // from sleep, but fires the next time the device actually wakes for any