diff options
author | Adam Powell <adamp@google.com> | 2016-04-28 16:32:18 -0700 |
---|---|---|
committer | The Android Automerger <android-build@google.com> | 2016-05-27 11:31:18 -0700 |
commit | d2ef34d04101da98be587dd5b0455b86de88ed70 (patch) | |
tree | 67416446519f9d8fad6495bba0015b59495020b5 /core/java | |
parent | ec2fc50d202d975447211012997fe425496c849c (diff) | |
download | frameworks_base-d2ef34d04101da98be587dd5b0455b86de88ed70.zip frameworks_base-d2ef34d04101da98be587dd5b0455b86de88ed70.tar.gz frameworks_base-d2ef34d04101da98be587dd5b0455b86de88ed70.tar.bz2 |
Backport ChooserTarget package source check from N
Fix a bug where a ChooserTargetService could supply a ChooserTarget
pointing at a non-exported activity outside of its own package and
have it launch.
Bug 28384423
Change-Id: I3f5854f91c5695ad9253d71055ef58224df47008
Diffstat (limited to 'core/java')
-rw-r--r-- | core/java/com/android/internal/app/ChooserActivity.java | 14 |
1 files changed, 13 insertions, 1 deletions
diff --git a/core/java/com/android/internal/app/ChooserActivity.java b/core/java/com/android/internal/app/ChooserActivity.java index 7699673..e137f94 100644 --- a/core/java/com/android/internal/app/ChooserActivity.java +++ b/core/java/com/android/internal/app/ChooserActivity.java @@ -656,7 +656,19 @@ public class ChooserActivity extends ResolverActivity { } intent.setComponent(mChooserTarget.getComponentName()); intent.putExtras(mChooserTarget.getIntentExtras()); - activity.startActivityAsCaller(intent, options, true, userId); + + // Important: we will ignore the target security checks in ActivityManager + // if and only if the ChooserTarget's target package is the same package + // where we got the ChooserTargetService that provided it. This lets a + // ChooserTargetService provide a non-exported or permission-guarded target + // to the chooser for the user to pick. + // + // If mSourceInfo is null, we got this ChooserTarget from the caller or elsewhere + // so we'll obey the caller's normal security checks. + final boolean ignoreTargetSecurity = mSourceInfo != null + && mSourceInfo.getResolvedComponentName().getPackageName() + .equals(mChooserTarget.getComponentName().getPackageName()); + activity.startActivityAsCaller(intent, options, ignoreTargetSecurity, userId); return true; } |