Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit f0261b5b authored by Pinyao Ting's avatar Pinyao Ting
Browse files

[RESTRICT AUTOMERGE] Fix permission issue in legacy shortcut

When building legacy shortcut, Launcher calls
PackageManager#resolveActivity to retrieve necessary permission to
launch the intent.

However, when the source app wraps an arbitrary intent within
Intent#createChooser, the existing logic will fail because launching
Chooser doesn't require additional permission.

This CL fixes the security vulnerability by performing the permission
check against the intent that is wrapped within.

Bug: 270152142
Test: manual
Change-Id: I05ccbde0a873569f24af4d3675a86830ba54c43f
parent dedca445
Loading
Loading
Loading
Loading
+12 −0
Original line number Diff line number Diff line
@@ -145,6 +145,18 @@ public class PackageManagerHelper {
     * any permissions
     */
    public boolean hasPermissionForActivity(Intent intent, String srcPackage) {
        // b/270152142
        if (Intent.ACTION_CHOOSER.equals(intent.getAction())) {
            final Bundle extras = intent.getExtras();
            if (extras == null) {
                return true;
            }
            // If given intent is ACTION_CHOOSER, verify srcPackage has permission over EXTRA_INTENT
            intent = (Intent) extras.getParcelable(Intent.EXTRA_INTENT);
            if (intent == null) {
                return true;
            }
        }
        ResolveInfo target = mPm.resolveActivity(intent, 0);
        if (target == null) {
            // Not a valid target