Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 82b9565b authored by Adam Powell's avatar Adam Powell
Browse files

Backport ChooserTarget package source check from N 

Fix a bug where a ChooserTargetService could supply a ChooserTarget
pointing at a non-exported activity outside of its own package and
have it launch.

Bug 28384423

Change-Id: I3f5854f91c5695ad9253d71055ef58224df47008
parent 825b7134

core/java/com/android/internal/app/ChooserActivity.java

+13 −1
Original line number Diff line number Diff line
@@ -616,7 +616,19 @@ public class ChooserActivity extends ResolverActivity { 
            }

            intent.setComponent(mChooserTarget.getComponentName());

            intent.putExtras(mChooserTarget.getIntentExtras());

            activity.startActivityAsCaller(intent, options, true, userId);



            // Important: we will ignore the target security checks in ActivityManager

            // if and only if the ChooserTarget's target package is the same package

            // where we got the ChooserTargetService that provided it. This lets a

            // ChooserTargetService provide a non-exported or permission-guarded target

            // to the chooser for the user to pick.

            //

            // If mSourceInfo is null, we got this ChooserTarget from the caller or elsewhere

            // so we'll obey the caller's normal security checks.

            final boolean ignoreTargetSecurity = mSourceInfo != null

                    && mSourceInfo.getResolvedComponentName().getPackageName()

                    .equals(mChooserTarget.getComponentName().getPackageName());

            activity.startActivityAsCaller(intent, options, ignoreTargetSecurity, userId);

            return true;

        }