From f89e70d29088305aa6ad43f7958be3c6e120b14c Mon Sep 17 00:00:00 2001
From: Pinyao Ting <pinyaoting@google.com>
Date: Fri, 16 Jul 2021 23:28:40 +0000
Subject: [PATCH] Refrain from returning mutable pending intent in
 getShortcutIntent

Mutable PendingIntent leads to potential security vulnerabilities, this
CL makes the returning PendingIntent immutable | update current. The
recipeint cannot change the content of the PendingIntent directly, but
the owner can still update the extras of the PendingIntent.

Note: PendingIntent is internally cached in PendingIntentController, so
the owner process do have access to the PendingIntent since
LauncherAppServices called
ActivityManagerService#getPendingIntentActivityAsApp to retrieve the
PendingIntent.

Bug: 190732424
Test: atest ShortcutManagerClientApiTest
Change-Id: Ife8ad7824f061e9e20d31c96f76ceed4edb547cd
---
 .../core/java/com/android/server/pm/LauncherAppsService.java | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/services/core/java/com/android/server/pm/LauncherAppsService.java b/services/core/java/com/android/server/pm/LauncherAppsService.java
index 5b2c80903ce5e..419b72675c497 100644
--- a/services/core/java/com/android/server/pm/LauncherAppsService.java
+++ b/services/core/java/com/android/server/pm/LauncherAppsService.java
@@ -18,7 +18,7 @@ package com.android.server.pm;
 
 import static android.app.ActivityOptions.KEY_SPLASH_SCREEN_THEME;
 import static android.app.PendingIntent.FLAG_IMMUTABLE;
-import static android.app.PendingIntent.FLAG_MUTABLE;
+import static android.app.PendingIntent.FLAG_UPDATE_CURRENT;
 import static android.content.Intent.FLAG_ACTIVITY_MULTIPLE_TASK;
 import static android.content.Intent.FLAG_ACTIVITY_NEW_DOCUMENT;
 import static android.content.pm.LauncherApps.FLAG_CACHE_BUBBLE_SHORTCUTS;
@@ -699,7 +699,8 @@ public class LauncherAppsService extends SystemService {
             final long ident = Binder.clearCallingIdentity();
             try {
                 return injectCreatePendingIntent(0 /* requestCode */, intents,
-                        FLAG_MUTABLE, opts, packageName, mPackageManagerInternal.getPackageUid(
+                        FLAG_IMMUTABLE | FLAG_UPDATE_CURRENT, opts, packageName,
+                        mPackageManagerInternal.getPackageUid(
                                 packageName, PackageManager.MATCH_DIRECT_BOOT_AUTO,
                                 user.getIdentifier()));
             } finally {