From 82b9565bd13e2c5dac20b3221b7be28c5afe57ea Mon Sep 17 00:00:00 2001 From: Adam Powell Date: Thu, 28 Apr 2016 16:32:18 -0700 Subject: [PATCH] Backport ChooserTarget package source check from N Fix a bug where a ChooserTargetService could supply a ChooserTarget pointing at a non-exported activity outside of its own package and have it launch. Bug 28384423 Change-Id: I3f5854f91c5695ad9253d71055ef58224df47008 --- .../com/android/internal/app/ChooserActivity.java | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/core/java/com/android/internal/app/ChooserActivity.java b/core/java/com/android/internal/app/ChooserActivity.java index d9faece9485f5..16190d038d0de 100644 --- a/core/java/com/android/internal/app/ChooserActivity.java +++ b/core/java/com/android/internal/app/ChooserActivity.java @@ -616,7 +616,19 @@ public class ChooserActivity extends ResolverActivity { } intent.setComponent(mChooserTarget.getComponentName()); intent.putExtras(mChooserTarget.getIntentExtras()); - activity.startActivityAsCaller(intent, options, true, userId); + + // Important: we will ignore the target security checks in ActivityManager + // if and only if the ChooserTarget's target package is the same package + // where we got the ChooserTargetService that provided it. This lets a + // ChooserTargetService provide a non-exported or permission-guarded target + // to the chooser for the user to pick. + // + // If mSourceInfo is null, we got this ChooserTarget from the caller or elsewhere + // so we'll obey the caller's normal security checks. + final boolean ignoreTargetSecurity = mSourceInfo != null + && mSourceInfo.getResolvedComponentName().getPackageName() + .equals(mChooserTarget.getComponentName().getPackageName()); + activity.startActivityAsCaller(intent, options, ignoreTargetSecurity, userId); return true; }