Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 15fdb150 authored by Sunny Goyal's avatar Sunny Goyal
Browse files

Preventing component spoofing during getShortcutConfigActivityIntent 

Bug: 160153281
Test: atest ShortcutManagerConfigActivityTest
Change-Id: I93e63f10b0ec5066619ae44d49f7226fe42e949b
parent f8f0b730

services/core/java/com/android/server/pm/LauncherAppsService.java

+17 −1
Original line number Diff line number Diff line
@@ -636,9 +636,25 @@ public class LauncherAppsService extends SystemService { 
            Objects.requireNonNull(component);



            // All right, create the sender.

            Intent intent = new Intent(Intent.ACTION_CREATE_SHORTCUT).setComponent(component);

            final int callingUid = injectBinderCallingUid();

            final long identity = Binder.clearCallingIdentity();

            try {

                final PackageManagerInternal pmInt =

                        LocalServices.getService(PackageManagerInternal.class);

                Intent packageIntent = new Intent(Intent.ACTION_CREATE_SHORTCUT)

                        .setPackage(component.getPackageName());

                List<ResolveInfo> apps = pmInt.queryIntentActivities(packageIntent,

                        packageIntent.resolveTypeIfNeeded(mContext.getContentResolver()),

                        PackageManager.MATCH_DIRECT_BOOT_AWARE

                                | PackageManager.MATCH_DIRECT_BOOT_UNAWARE,

                        callingUid, user.getIdentifier());

                // ensure that the component is present in the list

                if (!apps.stream().anyMatch(

                        ri -> component.getClassName().equals(ri.activityInfo.name))) {

                    return null;

                }



                Intent intent = new Intent(Intent.ACTION_CREATE_SHORTCUT).setComponent(component);

                final PendingIntent pi = PendingIntent.getActivityAsUser(

                        mContext, 0, intent, PendingIntent.FLAG_ONE_SHOT

                                | PendingIntent.FLAG_IMMUTABLE | PendingIntent.FLAG_CANCEL_CURRENT,