Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 3bd17cdc authored by Nan Wu's avatar Nan Wu
Browse files

ResolverActivity and IntentForwarderActivity refreshes token 

These 2 Activiies are still in use and have to refresh creator
tokens before they launch the intents.

Bug: 369856138
Test: Manual test
Flag: android.security.prevent_intent_redirect
Change-Id: I4df6849bec9a1c10e92ce6c452ec3989780ef510
parent 50201ffc

core/java/com/android/internal/app/IntentForwarderActivity.java

+5 −0
Original line number Diff line number Diff line
@@ -70,6 +70,7 @@ import android.widget.Toast; 


import com.android.internal.R;

import com.android.internal.annotations.VisibleForTesting;

import com.android.internal.app.chooser.TargetInfo;

import com.android.internal.logging.MetricsLogger;

import com.android.internal.logging.nano.MetricsProto.MetricsEvent;
@@ -352,6 +353,7 @@ public class IntentForwarderActivity extends Activity { 
        findViewById(R.id.use_same_profile_browser).setOnClickListener(v -> finish());



        findViewById(R.id.button_open).setOnClickListener(v -> {

            TargetInfo.refreshIntentCreatorToken(launchIntent);

            startActivityAsCaller(

                    launchIntent,

                    ActivityOptions.makeCustomAnimation(
@@ -476,6 +478,7 @@ public class IntentForwarderActivity extends Activity { 


    private void startActivityAsCaller(Intent newIntent, int userId) {

        try {

            TargetInfo.refreshIntentCreatorToken(newIntent);

            startActivityAsCaller(

                    newIntent,

                    /* options= */ null,
@@ -502,6 +505,7 @@ public class IntentForwarderActivity extends Activity { 
            return;

        }

        sanitizeIntent(innerIntent);

        TargetInfo.refreshIntentCreatorToken(intentReceived);

        startActivityAsCaller(intentReceived, null, false, getUserId());

        finish();

    }
@@ -525,6 +529,7 @@ public class IntentForwarderActivity extends Activity { 
        if (singleTabOnly) {

            intentReceived.putExtra(EXTRA_RESTRICT_TO_SINGLE_USER, true);

        }

        TargetInfo.refreshIntentCreatorToken(intentReceived);

        startActivityAsCaller(intentReceived, null, false, userId);

        finish();

    }

core/java/com/android/internal/app/chooser/DisplayResolveInfo.java

+2 −0
Original line number Diff line number Diff line
@@ -173,6 +173,7 @@ public class DisplayResolveInfo implements TargetInfo, Parcelable { 
    @Override

    public boolean startAsCaller(ResolverActivity activity, Bundle options, int userId) {

        TargetInfo.prepareIntentForCrossProfileLaunch(mResolvedIntent, userId);

        TargetInfo.refreshIntentCreatorToken(mResolvedIntent);

        activity.startActivityAsCaller(mResolvedIntent, options, false, userId);

        return true;

    }
@@ -180,6 +181,7 @@ public class DisplayResolveInfo implements TargetInfo, Parcelable { 
    @Override

    public boolean startAsUser(Activity activity, Bundle options, UserHandle user) {

        TargetInfo.prepareIntentForCrossProfileLaunch(mResolvedIntent, user.getIdentifier());

        TargetInfo.refreshIntentCreatorToken(mResolvedIntent);

        activity.startActivityAsUser(mResolvedIntent, options, user);

        return false;

    }

core/java/com/android/internal/app/chooser/SelectableTargetInfo.java

+1 −0
Original line number Diff line number Diff line
@@ -260,6 +260,7 @@ public final class SelectableTargetInfo implements ChooserTargetInfo { 
        intent.setComponent(mChooserTarget.getComponentName());

        intent.putExtras(mChooserTarget.getIntentExtras());

        TargetInfo.prepareIntentForCrossProfileLaunch(intent, userId);

        TargetInfo.refreshIntentCreatorToken(intent);



        // Important: we will ignore the target security checks in ActivityManager

        // if and only if the ChooserTarget's target package is the same package

core/java/com/android/internal/app/chooser/TargetInfo.java

+20 −0
Original line number Diff line number Diff line
@@ -17,13 +17,17 @@ 
package com.android.internal.app.chooser;





import static android.security.Flags.preventIntentRedirect;



import android.app.Activity;

import android.app.ActivityManager;

import android.content.ComponentName;

import android.content.Context;

import android.content.Intent;

import android.content.pm.ResolveInfo;

import android.graphics.drawable.Drawable;

import android.os.Bundle;

import android.os.RemoteException;

import android.os.UserHandle;



import com.android.internal.app.ResolverActivity;
@@ -141,4 +145,20 @@ public interface TargetInfo { 
            intent.fixUris(currentUserId);

        }

    }



    /**

     * refreshes intent's creatorToken with its current intent key fields. This allows

     * ChooserActivity to still keep original creatorToken's creator uid after making changes to

     * the intent and still keep it valid.

     * @param intent the intent's creatorToken needs to up refreshed.

     */

    static void refreshIntentCreatorToken(Intent intent) {

        if (!preventIntentRedirect()) return;

        try {

            intent.setCreatorToken(ActivityManager.getService().refreshIntentCreatorToken(

                    intent.cloneForCreatorToken()));

        } catch (RemoteException e) {

            throw new RuntimeException("Failure from system", e);

        }

    }

}