From 15f898d5082a2e0f9bf7d35d4e4e3f4fadcb3a90 Mon Sep 17 00:00:00 2001 From: Himanshu Arora Date: Thu, 30 Oct 2025 10:30:43 +0000 Subject: [PATCH] Prevent a malicious selector from launching an arbitrary activity. PickActivity reuses the incoming intent to show more apps that can handle the request. If the original intent has a selector, it can be used to launch an arbitrary activity with the permissions of DocumentsUI. This change fixes the vulnerability by clearing the selector on the copied intent. Bug: 447135012 Flag: EXEMPT BUGFIX Test: manual (cherry picked from commit 32d6a7338dc3f655832c2832dc93d2cc66a2021e) Cherrypick-From: https://googleplex-android-review.googlesource.com/q/commit:550b1a413361b58511a92c0e4a451c5efd0945f1 Merged-In: I3e2eeaab8990a20fe639a165630ed1773e47fb3c Change-Id: I3e2eeaab8990a20fe639a165630ed1773e47fb3c --- src/com/android/documentsui/picker/PickActivity.java | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/com/android/documentsui/picker/PickActivity.java b/src/com/android/documentsui/picker/PickActivity.java index e9b91b1a0..5eccd1e3b 100644 --- a/src/com/android/documentsui/picker/PickActivity.java +++ b/src/com/android/documentsui/picker/PickActivity.java @@ -230,6 +230,8 @@ public class PickActivity extends BaseActivity implements ActionHandler.Addons { final Intent moreApps = new Intent(intent); moreApps.setComponent(null); moreApps.setPackage(null); + // Clear the selector to prevent a malicious selector from launching an arbitrary activity. + moreApps.setSelector(null); if (mState.supportsCrossProfile) { if (mConfigStore.isPrivateSpaceInDocsUIEnabled() && SdkLevel.isAtLeastS()) { mState.canForwardToProfileIdMap = mUserManagerState.getCanForwardToProfileIdMap( -- GitLab