Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 9f2d3f09 authored by Himanshu Arora's avatar Himanshu Arora Committed by Android Build Coastguard Worker
Browse files

Prevent a malicious selector from launching an arbitrary activity. 

PickActivity reuses the incoming intent to show more apps that can handle the request. If the original intent has a selector, it can be used to launch an arbitrary activity with the permissions of DocumentsUI.
This change fixes the vulnerability by clearing the selector on the copied intent.

Bug: 447135012
Flag: EXEMPT BUGFIX
Test: manual
(cherry picked from commit 32d6a7338dc3f655832c2832dc93d2cc66a2021e)
Cherrypick-From: https://googleplex-android-review.googlesource.com/q/commit:8eebea12db1815135398dfcc4c0276966c2790f9
Merged-In: I3e2eeaab8990a20fe639a165630ed1773e47fb3c
Change-Id: I3e2eeaab8990a20fe639a165630ed1773e47fb3c
parent 3fb45084

src/com/android/documentsui/picker/PickActivity.java

+2 −0
Original line number Diff line number Diff line
@@ -236,6 +236,8 @@ public class PickActivity extends BaseActivity implements ActionHandler.Addons { 
        final Intent moreApps = new Intent(intent);

        moreApps.setComponent(null);

        moreApps.setPackage(null);

        // Clear the selector to prevent a malicious selector from launching an arbitrary activity.

        moreApps.setSelector(null);

        if (mState.supportsCrossProfile) {

            if (mConfigStore.isPrivateSpaceInDocsUIEnabled() && SdkLevel.isAtLeastS()) {

                mState.canForwardToProfileIdMap = mUserManagerState.getCanForwardToProfileIdMap(