Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit a48245c5 authored by Himanshu Arora's avatar Himanshu Arora Committed by Android Build Coastguard Worker
Browse files

Prevent a malicious selector from launching an arbitrary activity. 

PickActivity reuses the incoming intent to show more apps that can handle the request. If the original intent has a selector, it can be used to launch an arbitrary activity with the permissions of DocumentsUI.
This change fixes the vulnerability by clearing the selector on the copied intent.

Bug: 447135012
Flag: EXEMPT BUGFIX
Test: manual
(cherry picked from commit 32d6a7338dc3f655832c2832dc93d2cc66a2021e)
Cherrypick-From: https://googleplex-android-review.googlesource.com/q/commit:c39362f4223b0a31eacb87b5f7b16441910f0dbc
Merged-In: I3e2eeaab8990a20fe639a165630ed1773e47fb3c
Change-Id: I3e2eeaab8990a20fe639a165630ed1773e47fb3c
parent cf72487d

src/com/android/documentsui/picker/PickActivity.java

+2 −0
Original line number Diff line number Diff line
@@ -215,6 +215,8 @@ public class PickActivity extends BaseActivity implements ActionHandler.Addons { 
        final Intent moreApps = new Intent(intent);

        moreApps.setComponent(null);

        moreApps.setPackage(null);

        // Clear the selector to prevent a malicious selector from launching an arbitrary activity.

        moreApps.setSelector(null);

        if (mState.supportsCrossProfile()

                && CrossProfileUtils.getCrossProfileResolveInfo(

                        getPackageManager(), moreApps) != null) {