diff options
| author | 2024-12-09 17:12:10 -0800 | |
|---|---|---|
| committer | 2024-12-10 11:20:40 -0800 | |
| commit | e73bb60fed12daa78ddad8308b31b0c78f1c3c66 (patch) | |
| tree | 1bf92a237d22a363ba607320e0d46614d1131cfe | |
| parent | ec5b02f0c151d01a2565b4d9788297a4b671393f (diff) | |
Verify that the caller has permissions for the icons it provided.
Bug: 277207798
Test: manual testing: first reroduce the issue as described in the
ticket then check that it is not reproduceable after the fix.
Merged-In: I08992550507572a4878c501184360a58adef53ad
Change-Id: Ic8cb75ed586e94c5895065f772bfb21013396dd0
| -rw-r--r-- | core/java/com/android/internal/app/ChooserActivity.java | 50 |
1 files changed, 49 insertions, 1 deletions
diff --git a/core/java/com/android/internal/app/ChooserActivity.java b/core/java/com/android/internal/app/ChooserActivity.java index 919c176b5841..4e4305aa73b1 100644 --- a/core/java/com/android/internal/app/ChooserActivity.java +++ b/core/java/com/android/internal/app/ChooserActivity.java @@ -16,6 +16,7 @@ package com.android.internal.app; +import static android.content.ContentProvider.getUriWithoutUserId; import static android.content.ContentProvider.getUserIdFromUri; import static com.android.internal.util.LatencyTracker.ACTION_LOAD_SHARE_SHEET; @@ -32,7 +33,9 @@ import android.annotation.NonNull; import android.annotation.Nullable; import android.app.Activity; import android.app.ActivityManager; +import android.app.IUriGrantsManager; import android.app.SharedElementCallback; +import android.app.UriGrantsManager; import android.app.prediction.AppPredictionContext; import android.app.prediction.AppPredictionManager; import android.app.prediction.AppPredictor; @@ -68,6 +71,7 @@ import android.graphics.Paint; import android.graphics.Path; import android.graphics.drawable.AnimatedVectorDrawable; import android.graphics.drawable.Drawable; +import android.graphics.drawable.Icon; import android.metrics.LogMaker; import android.net.Uri; import android.os.AsyncTask; @@ -77,6 +81,7 @@ import android.os.Handler; import android.os.Message; import android.os.Parcelable; import android.os.PatternMatcher; +import android.os.RemoteException; import android.os.ResultReceiver; import android.os.UserHandle; import android.os.UserManager; @@ -663,7 +668,11 @@ public class ChooserActivity extends ResolverActivity implements targets = null; break; } - targets[i] = (ChooserTarget) pa[i]; + ChooserTarget chooserTarget = (ChooserTarget) pa[i]; + if (!hasValidIcon(chooserTarget)) { + chooserTarget = removeIcon(chooserTarget); + } + targets[i] = chooserTarget; } mCallerChooserTargets = targets; } @@ -4038,4 +4047,43 @@ public class ChooserActivity extends ResolverActivity implements private boolean shouldNearbyShareBeIncludedAsActionButton() { return !shouldNearbyShareBeFirstInRankedRow(); } + + private boolean hasValidIcon(ChooserTarget target) { + Icon icon = target.getIcon(); + if (icon == null) { + return true; + } + if (icon.getType() == Icon.TYPE_URI || icon.getType() == Icon.TYPE_URI_ADAPTIVE_BITMAP) { + Uri uri = icon.getUri(); + try { + getUriGrantsManager().checkGrantUriPermission_ignoreNonSystem( + getLaunchedFromUid(), + getPackageName(), + getUriWithoutUserId(uri), + Intent.FLAG_GRANT_READ_URI_PERMISSION, + getUserIdFromUri(uri) + ); + } catch (SecurityException | RemoteException e) { + Log.e(TAG, "Failed to get URI permission for: " + uri, e); + return false; + } + } + return true; + } + + private IUriGrantsManager getUriGrantsManager() { + return UriGrantsManager.getService(); + } + + private static ChooserTarget removeIcon(ChooserTarget target) { + if (target == null) { + return null; + } + return new ChooserTarget( + target.getTitle(), + null, + target.getScore(), + target.getComponentName(), + target.getIntentExtras()); + } } |