Merge "Preventing component spoofing during getShortcutConfigActivityIntent" into sc-dev

author: TreeHugger Robot <treehugger-gerrit@google.com> 2021-04-15 01:01:14 +0000
committer: Android (Google) Code Review <android-gerrit@google.com> 2021-04-15 01:01:14 +0000
commit: d8b162aac83b1bbf6c6c3c61699cdbe23fada30c (patch)
tree: ab40de54f8cc4e7779ccecf23d3ffa759fffc1de
parent: e53db0d40254f57d8af33e0dcac43e464a06bd31 (diff)
parent: 15fdb150a3ad5fbeebdcb2cbb8832073b49c64d3 (diff)
1 files changed, 17 insertions, 1 deletions
diff --git a/services/core/java/com/android/server/pm/LauncherAppsService.java b/services/core/java/com/android/server/pm/LauncherAppsService.java
index 91a66acf433d..dd80e167f0b3 100644
--- a/services/core/java/com/android/server/pm/LauncherAppsService.java
+++ b/services/core/java/com/android/server/pm/LauncherAppsService.java
@@ -636,9 +636,25 @@ public class LauncherAppsService extends SystemService {
             Objects.requireNonNull(component);
 
             // All right, create the sender.
-            Intent intent = new Intent(Intent.ACTION_CREATE_SHORTCUT).setComponent(component);
+            final int callingUid = injectBinderCallingUid();
             final long identity = Binder.clearCallingIdentity();
             try {
+                final PackageManagerInternal pmInt =
+                        LocalServices.getService(PackageManagerInternal.class);
+                Intent packageIntent = new Intent(Intent.ACTION_CREATE_SHORTCUT)
+                        .setPackage(component.getPackageName());
+                List<ResolveInfo> apps = pmInt.queryIntentActivities(packageIntent,
+                        packageIntent.resolveTypeIfNeeded(mContext.getContentResolver()),
+                        PackageManager.MATCH_DIRECT_BOOT_AWARE
+                                | PackageManager.MATCH_DIRECT_BOOT_UNAWARE,
+                        callingUid, user.getIdentifier());
+                // ensure that the component is present in the list
+                if (!apps.stream().anyMatch(
+                        ri -> component.getClassName().equals(ri.activityInfo.name))) {
+                    return null;
+                }
+
+                Intent intent = new Intent(Intent.ACTION_CREATE_SHORTCUT).setComponent(component);
                 final PendingIntent pi = PendingIntent.getActivityAsUser(
                         mContext, 0, intent, PendingIntent.FLAG_ONE_SHOT
                                 | PendingIntent.FLAG_IMMUTABLE | PendingIntent.FLAG_CANCEL_CURRENT,
author	TreeHugger Robot <treehugger-gerrit@google.com>	2021-04-15 01:01:14 +0000
committer	Android (Google) Code Review <android-gerrit@google.com>	2021-04-15 01:01:14 +0000
commit	d8b162aac83b1bbf6c6c3c61699cdbe23fada30c (patch)
tree	ab40de54f8cc4e7779ccecf23d3ffa759fffc1de
parent	e53db0d40254f57d8af33e0dcac43e464a06bd31 (diff)
parent	15fdb150a3ad5fbeebdcb2cbb8832073b49c64d3 (diff)