Gitiles
Code Review Sign In
gerrit.omnirom.org / android_frameworks_base / 419a0c166a5afebbb0a2e9d612dbbee5646d3432^! / .
commit419a0c166a5afebbb0a2e9d612dbbee5646d3432[log] [tgz]
authoroli <olit@google.com>Tue Jan 28 16:28:31 2025 +0000
committerAndroid Build Coastguard Worker <android-build-coastguard-worker@google.com>Tue Feb 18 17:48:33 2025 -0800
tree652e55d197f79b1fb077ef364dd06470bd207e0a
parent3ebe33401925a9e74e851c394b8af5ebda052d47 [diff]
Check underlying intent as well as intent selector

When checking if an intent can be forwarded across profiles, the
selector action is checked rather than the intent itself.
This means badIntents can be spoofed with a different selector and
launched across profiles.

Bug: 376674080
Test: manually tested
Flag: EXEMPT bugfix
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:fc28861349e0113f807016501da3e1fd963b59fa)
Merged-In: If04e1020fc5a09f04630ba08d7e3b3012f2aa577
Change-Id: If04e1020fc5a09f04630ba08d7e3b3012f2aa577

diff --git a/core/java/com/android/internal/app/IntentForwarderActivity.java b/core/java/com/android/internal/app/IntentForwarderActivity.java
index 644d699..d29ef38 100644
--- a/core/java/com/android/internal/app/IntentForwarderActivity.java
+++ b/core/java/com/android/internal/app/IntentForwarderActivity.java

@@ -599,24 +599,35 @@
                 Intent.FLAG_ACTIVITY_FORWARD_RESULT | Intent.FLAG_ACTIVITY_PREVIOUS_IS_TOP);
         sanitizeIntent(forwardIntent);
 
-        Intent intentToCheck = forwardIntent;
-        if (Intent.ACTION_CHOOSER.equals(forwardIntent.getAction())) {
+        if (!canForwardInner(forwardIntent, sourceUserId, targetUserId, packageManager,
+                contentResolver)) {
             return null;
         }
         if (forwardIntent.getSelector() != null) {
-            intentToCheck = forwardIntent.getSelector();
+            sanitizeIntent(forwardIntent.getSelector());
+            if (!canForwardInner(forwardIntent.getSelector(), sourceUserId, targetUserId,
+                    packageManager, contentResolver)) {
+                return null;
+            }
         }
-        String resolvedType = intentToCheck.resolveTypeIfNeeded(contentResolver);
-        sanitizeIntent(intentToCheck);
+        return forwardIntent;
+    }
+
+    private static boolean canForwardInner(Intent intent, int sourceUserId, int targetUserId,
+            IPackageManager packageManager, ContentResolver contentResolver) {
+        if (Intent.ACTION_CHOOSER.equals(intent.getAction())) {
+            return false;
+        }
+        String resolvedType = intent.resolveTypeIfNeeded(contentResolver);
         try {
             if (packageManager.canForwardTo(
-                    intentToCheck, resolvedType, sourceUserId, targetUserId)) {
-                return forwardIntent;
+                    intent, resolvedType, sourceUserId, targetUserId)) {
+                return true;
             }
         } catch (RemoteException e) {
             Slog.e(TAG, "PackageManagerService is dead?");
         }
-        return null;
+        return false;
     }
 
     /**