Check underlying intent as well as intent selector

When checking if an intent can be forwarded across profiles, the selector action is checked rather than the intent itself. This means badIntents can be spoofed with a different selector and launched across profiles. Bug: 376674080 Test: manually tested Flag: EXEMPT bugfix (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:85ef51a7a91de0e51dd65ce5f09badcd96835817) Merged-In: I744d0d7f89e35665405a14a814d4e0861082a106 Change-Id: I744d0d7f89e35665405a14a814d4e0861082a106
author: oli <olit@google.com> 2025-01-28 16:32:40 +0000
committer: Oli Thompson <olit@google.com> 2025-01-29 09:02:40 -0800
commit: a8dcd86bb23f693772d1a5203828ce1b9b5d3cdf (patch)
tree: b121f20fe47cb7c4bed3277e8d4d129923034fa1 /java
parent: 21ab7fb0b67fe3b5c16fc26b5cf6d016bfc0e248 (diff)
1 files changed, 24 insertions, 10 deletions
diff --git a/java/src/com/android/intentresolver/IntentForwarderActivity.java b/java/src/com/android/intentresolver/IntentForwarderActivity.java
index 78240250..6601ff82 100644
--- a/java/src/com/android/intentresolver/IntentForwarderActivity.java
+++ b/java/src/com/android/intentresolver/IntentForwarderActivity.java
@@ -309,31 +309,45 @@ public class IntentForwarderActivity extends Activity  {
      * Check whether the intent can be forwarded to target user. Return the intent used for
      * forwarding if it can be forwarded, {@code null} otherwise.
      */
-    static Intent canForward(Intent incomingIntent, int sourceUserId, int targetUserId,
-            IPackageManager packageManager, ContentResolver contentResolver)  {
+    public static Intent canForward(Intent incomingIntent, int sourceUserId, int targetUserId,
+            IPackageManager packageManager, ContentResolver contentResolver) {
         Intent forwardIntent = new Intent(incomingIntent);
         forwardIntent.addFlags(
                 Intent.FLAG_ACTIVITY_FORWARD_RESULT | Intent.FLAG_ACTIVITY_PREVIOUS_IS_TOP);
         sanitizeIntent(forwardIntent);
 
-        Intent intentToCheck = forwardIntent;
-        if (Intent.ACTION_CHOOSER.equals(forwardIntent.getAction())) {
+        if (!canForwardInner(forwardIntent, sourceUserId, targetUserId, packageManager,
+                contentResolver)) {
             return null;
         }
+
         if (forwardIntent.getSelector() != null) {
-            intentToCheck = forwardIntent.getSelector();
+            sanitizeIntent(forwardIntent.getSelector());
+
+            if (!canForwardInner(forwardIntent.getSelector(), sourceUserId, targetUserId,
+                    packageManager, contentResolver)) {
+                return null;
+            }
+        }
+        return forwardIntent;
+    }
+
+    private static boolean canForwardInner(Intent intent, int sourceUserId, int targetUserId,
+            IPackageManager packageManager, ContentResolver contentResolver) {
+        if (Intent.ACTION_CHOOSER.equals(intent.getAction())) {
+            return false;
         }
-        String resolvedType = intentToCheck.resolveTypeIfNeeded(contentResolver);
-        sanitizeIntent(intentToCheck);
+
+        String resolvedType = intent.resolveTypeIfNeeded(contentResolver);
         try {
             if (packageManager.canForwardTo(
-                    intentToCheck, resolvedType, sourceUserId, targetUserId)) {
-                return forwardIntent;
+                    intent, resolvedType, sourceUserId, targetUserId)) {
+                return true;
             }
         } catch (RemoteException e) {
             Slog.e(TAG, "PackageManagerService is dead?");
         }
-        return null;
+        return false;
     }
 
     /**
author	oli <olit@google.com>	2025-01-28 16:32:40 +0000
committer	Oli Thompson <olit@google.com>	2025-01-29 09:02:40 -0800
commit	a8dcd86bb23f693772d1a5203828ce1b9b5d3cdf (patch)
tree	b121f20fe47cb7c4bed3277e8d4d129923034fa1 /java
parent	21ab7fb0b67fe3b5c16fc26b5cf6d016bfc0e248 (diff)