From 413020a6ca6e7d4eb7e61e3fe7d7a4c570a605db Mon Sep 17 00:00:00 2001
From: Christopher Tate <ctate@google.com>
Date: Tue, 23 Jun 2015 19:23:46 -0700
Subject: [PATCH] Require that verified intent filters only have http/https
 <data> decls

It is malformed to write a single intent filter like this:

  <intent-filter android:autoVerify="true">
    <data android:host="foo.example"
          android:path="/"
          android:scheme="http" />
    <data android:host="*"
          android:path="/custom"
          android:scheme="fooexamplecustomscheme" />
  </intent-filter>

In practice this app is accidentally defining a filter that will match
"http://*".  This is now detected, and will never be auto-verified for
any of the mentioned domains.

Verified intent filters must *only* handle the http & https schemes.

Bug 21920537

Change-Id: I933cddbea23185d242565cac940e1e7a7e4e289b
---
 core/java/android/content/IntentFilter.java   | 35 ++++++++++++++-----
 .../server/pm/PackageManagerService.java      |  3 +-
 2 files changed, 27 insertions(+), 11 deletions(-)

diff --git a/core/java/android/content/IntentFilter.java b/core/java/android/content/IntentFilter.java
index d83dfc5eb54fb..e267b5297526b 100644
--- a/core/java/android/content/IntentFilter.java
+++ b/core/java/android/content/IntentFilter.java
@@ -16,7 +16,6 @@
 
 package android.content;
 
-import android.content.pm.PackageParser;
 import android.net.Uri;
 import android.os.Parcel;
 import android.os.Parcelable;
@@ -534,13 +533,15 @@ public class IntentFilter implements Parcelable {
      */
     public final boolean handleAllWebDataURI() {
         return hasCategory(Intent.CATEGORY_APP_BROWSER) ||
-                (hasWebDataURI() && countDataAuthorities() == 0);
+                (hasOnlyWebDataURI() && countDataAuthorities() == 0);
     }
 
     /**
-     * Return if this filter has any HTTP or HTTPS data URI or not.
+     * Return if this filter handles only HTTP or HTTPS data URIs.
      *
-     * @return True if the filter has any HTTP or HTTPS data URI. False otherwise.
+     * @return True if the filter handles ACTION_VIEW/CATEGORY_BROWSABLE,
+     * has at least one HTTP or HTTPS data URI pattern defined, and does not
+     * define any non-http/https data URI patterns.
      *
      * This will check if if the Intent action is {@link android.content.Intent#ACTION_VIEW} and
      * the Intent category is {@link android.content.Intent#CATEGORY_BROWSABLE} and the Intent
@@ -548,10 +549,26 @@ public class IntentFilter implements Parcelable {
      *
      * @hide
      */
-    public final boolean hasWebDataURI() {
-        return hasAction(Intent.ACTION_VIEW) &&
-                hasCategory(Intent.CATEGORY_BROWSABLE) &&
-                (hasDataScheme(SCHEME_HTTP) || hasDataScheme(SCHEME_HTTPS));
+    public final boolean hasOnlyWebDataURI() {
+        // Require ACTION_VIEW, CATEGORY_BROWSEABLE, and at least one scheme
+        if (!hasAction(Intent.ACTION_VIEW)
+            || !hasCategory(Intent.CATEGORY_BROWSABLE)
+            || mDataSchemes == null
+            || mDataSchemes.size() == 0) {
+            return false;
+        }
+
+        // Now allow only the schemes "http" and "https"
+        final int N = mDataSchemes.size();
+        for (int i = 0; i < N; i++) {
+            final String scheme = mDataSchemes.get(i);
+            if (!SCHEME_HTTP.equals(scheme) && !SCHEME_HTTPS.equals(scheme)) {
+                return false;
+            }
+        }
+
+        // Everything passed, so it's an only-web-URIs filter
+        return true;
     }
 
     /**
@@ -568,7 +585,7 @@ public class IntentFilter implements Parcelable {
      * @hide
      */
     public final boolean needsVerification() {
-        return hasWebDataURI() && getAutoVerify();
+        return getAutoVerify() && hasOnlyWebDataURI();
     }
 
     /**
diff --git a/services/core/java/com/android/server/pm/PackageManagerService.java b/services/core/java/com/android/server/pm/PackageManagerService.java
index dbf0f176dd83d..be1afa8882e06 100644
--- a/services/core/java/com/android/server/pm/PackageManagerService.java
+++ b/services/core/java/com/android/server/pm/PackageManagerService.java
@@ -12020,8 +12020,7 @@ public class PackageManagerService extends IPackageManager.Stub {
                 final int verificationId = mIntentFilterVerificationToken++;
                 for (PackageParser.Activity a : pkg.activities) {
                     for (ActivityIntentInfo filter : a.intents) {
-                        boolean needsFilterVerification = filter.hasWebDataURI();
-                        if (needsFilterVerification && needsNetworkVerificationLPr(filter)) {
+                        if (filter.hasOnlyWebDataURI() && needsNetworkVerificationLPr(filter)) {
                             if (DEBUG_DOMAIN_VERIFICATION) Slog.d(TAG,
                                     "Verification needed for IntentFilter:" + filter.toString());
                             mIntentFilterVerifier.addOneIntentFilterVerification(