[RESTRICT AUTOMERGE] Fix permission issue in legacy shortcut

When building legacy shortcut, Launcher calls PackageManager#resolveActivity to retrieve necessary permission to launch the intent. However, when the source app wraps an arbitrary intent within Intent#createChooser, the existing logic will fail because launching Chooser doesn't require additional permission. This CL fixes the security vulnerability by performing the permission check against the intent that is wrapped within. Bug: 270152142 Test: manual Change-Id: I05ccbde0a873569f24af4d3675a86830ba54c43f
2023-06-01 18:12:44 -07:00
parent dedca445bb
commit f0261b5b38
1 changed files with 12 additions and 0 deletions
@@ -145,6 +145,18 @@ public class PackageManagerHelper {
     * any permissions
     */
    public boolean hasPermissionForActivity(Intent intent, String srcPackage) {
+        // b/270152142
+        if (Intent.ACTION_CHOOSER.equals(intent.getAction())) {
+            final Bundle extras = intent.getExtras();
+            if (extras == null) {
+                return true;
+            }
+            // If given intent is ACTION_CHOOSER, verify srcPackage has permission over EXTRA_INTENT
+            intent = (Intent) extras.getParcelable(Intent.EXTRA_INTENT);
+            if (intent == null) {
+                return true;
+            }
+        }
        ResolveInfo target = mPm.resolveActivity(intent, 0);
        if (target == null) {
            // Not a valid target