Preventing component spoofing during getShortcutConfigActivityIntent

Bug: 160153281 Test: atest ShortcutManagerConfigActivityTest Change-Id: I93e63f10b0ec5066619ae44d49f7226fe42e949b
author: Sunny Goyal <sunnygoyal@google.com> 2021-04-14 12:05:58 -0700
committer: Sunny Goyal <sunnygoyal@google.com> 2021-04-14 12:06:07 -0700
commit: 15fdb150a3ad5fbeebdcb2cbb8832073b49c64d3 (patch)
tree: 9829a6302c9217e539911d6e214134321381cfd5
parent: f8f0b73025cacabaf5e74faa550b08e3f3dfb517 (diff)
1 files changed, 17 insertions, 1 deletions
diff --git a/services/core/java/com/android/server/pm/LauncherAppsService.java b/services/core/java/com/android/server/pm/LauncherAppsService.java
index 91a66acf433d..dd80e167f0b3 100644
--- a/services/core/java/com/android/server/pm/LauncherAppsService.java
+++ b/services/core/java/com/android/server/pm/LauncherAppsService.java
@@ -636,9 +636,25 @@ public class LauncherAppsService extends SystemService {
             Objects.requireNonNull(component);
 
             // All right, create the sender.
-            Intent intent = new Intent(Intent.ACTION_CREATE_SHORTCUT).setComponent(component);
+            final int callingUid = injectBinderCallingUid();
             final long identity = Binder.clearCallingIdentity();
             try {
+                final PackageManagerInternal pmInt =
+                        LocalServices.getService(PackageManagerInternal.class);
+                Intent packageIntent = new Intent(Intent.ACTION_CREATE_SHORTCUT)
+                        .setPackage(component.getPackageName());
+                List<ResolveInfo> apps = pmInt.queryIntentActivities(packageIntent,
+                        packageIntent.resolveTypeIfNeeded(mContext.getContentResolver()),
+                        PackageManager.MATCH_DIRECT_BOOT_AWARE
+                                | PackageManager.MATCH_DIRECT_BOOT_UNAWARE,
+                        callingUid, user.getIdentifier());
+                // ensure that the component is present in the list
+                if (!apps.stream().anyMatch(
+                        ri -> component.getClassName().equals(ri.activityInfo.name))) {
+                    return null;
+                }
+
+                Intent intent = new Intent(Intent.ACTION_CREATE_SHORTCUT).setComponent(component);
                 final PendingIntent pi = PendingIntent.getActivityAsUser(
                         mContext, 0, intent, PendingIntent.FLAG_ONE_SHOT
                                 | PendingIntent.FLAG_IMMUTABLE | PendingIntent.FLAG_CANCEL_CURRENT,
author	Sunny Goyal <sunnygoyal@google.com>	2021-04-14 12:05:58 -0700
committer	Sunny Goyal <sunnygoyal@google.com>	2021-04-14 12:06:07 -0700
commit	15fdb150a3ad5fbeebdcb2cbb8832073b49c64d3 (patch)
tree	9829a6302c9217e539911d6e214134321381cfd5
parent	f8f0b73025cacabaf5e74faa550b08e3f3dfb517 (diff)