Check underlying intent as well as intent selector

When checking if an intent can be forwarded across profiles, the selector action is checked rather than the intent itself. This means badIntents can be spoofed with a different selector and launched across profiles. Bug: 376674080 Test: manually tested Flag: EXEMPT bugfix (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:fc28861349e0113f807016501da3e1fd963b59fa) Merged-In: If04e1020fc5a09f04630ba08d7e3b3012f2aa577 Change-Id: If04e1020fc5a09f04630ba08d7e3b3012f2aa577
author: oli <olit@google.com> 2025-01-28 16:28:31 +0000
committer: Cherrypicker Worker <android-build-cherrypicker-worker@google.com> 2025-01-29 08:26:38 -0800
commit: 60df29f18d32ddf64f99f1fd5240c879bc12a4ae (patch)
tree: 6a67d309ba384c2238d4cd5e5624041e24dc276e
parent: 4e372612f85e70d0092c346f0e921682c5906dc8 (diff)
1 files changed, 19 insertions, 8 deletions
diff --git a/core/java/com/android/internal/app/IntentForwarderActivity.java b/core/java/com/android/internal/app/IntentForwarderActivity.java
index 65b59790e327..259e82181da1 100644
--- a/core/java/com/android/internal/app/IntentForwarderActivity.java
+++ b/core/java/com/android/internal/app/IntentForwarderActivity.java
@@ -512,24 +512,35 @@ public class IntentForwarderActivity extends Activity  {
                 Intent.FLAG_ACTIVITY_FORWARD_RESULT | Intent.FLAG_ACTIVITY_PREVIOUS_IS_TOP);
         sanitizeIntent(forwardIntent);
 
-        Intent intentToCheck = forwardIntent;
-        if (Intent.ACTION_CHOOSER.equals(forwardIntent.getAction())) {
+        if (!canForwardInner(forwardIntent, sourceUserId, targetUserId, packageManager,
+                contentResolver)) {
             return null;
         }
         if (forwardIntent.getSelector() != null) {
-            intentToCheck = forwardIntent.getSelector();
+            sanitizeIntent(forwardIntent.getSelector());
+            if (!canForwardInner(forwardIntent.getSelector(), sourceUserId, targetUserId,
+                    packageManager, contentResolver)) {
+                return null;
+            }
+        }
+        return forwardIntent;
+    }
+
+    private static boolean canForwardInner(Intent intent, int sourceUserId, int targetUserId,
+            IPackageManager packageManager, ContentResolver contentResolver) {
+        if (Intent.ACTION_CHOOSER.equals(intent.getAction())) {
+            return false;
         }
-        String resolvedType = intentToCheck.resolveTypeIfNeeded(contentResolver);
-        sanitizeIntent(intentToCheck);
+        String resolvedType = intent.resolveTypeIfNeeded(contentResolver);
         try {
             if (packageManager.canForwardTo(
-                    intentToCheck, resolvedType, sourceUserId, targetUserId)) {
-                return forwardIntent;
+                    intent, resolvedType, sourceUserId, targetUserId)) {
+                return true;
             }
         } catch (RemoteException e) {
             Slog.e(TAG, "PackageManagerService is dead?");
         }
-        return null;
+        return false;
     }
 
     /**
author	oli <olit@google.com>	2025-01-28 16:28:31 +0000
committer	Cherrypicker Worker <android-build-cherrypicker-worker@google.com>	2025-01-29 08:26:38 -0800
commit	60df29f18d32ddf64f99f1fd5240c879bc12a4ae (patch)
tree	6a67d309ba384c2238d4cd5e5624041e24dc276e
parent	4e372612f85e70d0092c346f0e921682c5906dc8 (diff)