From a48245c5bfa71b54684e11f71dd1a961e57b4667 Mon Sep 17 00:00:00 2001
From: Himanshu Arora <hmarora@google.com>
Date: Thu, 30 Oct 2025 10:30:43 +0000
Subject: [PATCH] Prevent a malicious selector from launching an arbitrary
 activity.

PickActivity reuses the incoming intent to show more apps that can handle the request. If the original intent has a selector, it can be used to launch an arbitrary activity with the permissions of DocumentsUI.
This change fixes the vulnerability by clearing the selector on the copied intent.

Bug: 447135012
Flag: EXEMPT BUGFIX
Test: manual
(cherry picked from commit 32d6a7338dc3f655832c2832dc93d2cc66a2021e)
Cherrypick-From: https://googleplex-android-review.googlesource.com/q/commit:c39362f4223b0a31eacb87b5f7b16441910f0dbc
Merged-In: I3e2eeaab8990a20fe639a165630ed1773e47fb3c
Change-Id: I3e2eeaab8990a20fe639a165630ed1773e47fb3c
---
 src/com/android/documentsui/picker/PickActivity.java | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/com/android/documentsui/picker/PickActivity.java b/src/com/android/documentsui/picker/PickActivity.java
index c2fbd50a0..1968d7367 100644
--- a/src/com/android/documentsui/picker/PickActivity.java
+++ b/src/com/android/documentsui/picker/PickActivity.java
@@ -215,6 +215,8 @@ public class PickActivity extends BaseActivity implements ActionHandler.Addons {
         final Intent moreApps = new Intent(intent);
         moreApps.setComponent(null);
         moreApps.setPackage(null);
+        // Clear the selector to prevent a malicious selector from launching an arbitrary activity.
+        moreApps.setSelector(null);
         if (mState.supportsCrossProfile()
                 && CrossProfileUtils.getCrossProfileResolveInfo(
                         getPackageManager(), moreApps) != null) {
-- 
GitLab