From a5b209d924399fb250fdeedcd21d4539ccf12c34 Mon Sep 17 00:00:00 2001
From: Pinyao Ting <pinyaoting@google.com>
Date: Thu, 1 Jun 2023 18:12:44 -0700
Subject: [PATCH 1/2] Fix permission issue in legacy shortcut

When building legacy shortcut, Launcher calls
PackageManager#resolveActivity to retrieve necessary permission to
launch the intent.

However, when the source app wraps an arbitrary intent within
Intent#createChooser, the existing logic will fail because launching
Chooser doesn't require additional permission.

This CL fixes the security vulnerability by performing the permission
check against the intent that is wrapped within.

Bug: 270152142
Test: manual
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:c53818a16b4322a823497726ac7e7a44501b4442)
Merged-In: If35344c08975e35085c7c2b9b814a3c457a144b0
Change-Id: If35344c08975e35085c7c2b9b814a3c457a144b0
---
 .../android/launcher3/util/PackageManagerHelper.java | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/src/com/android/launcher3/util/PackageManagerHelper.java b/src/com/android/launcher3/util/PackageManagerHelper.java
index 86f3431b5..02287fd0f 100644
--- a/src/com/android/launcher3/util/PackageManagerHelper.java
+++ b/src/com/android/launcher3/util/PackageManagerHelper.java
@@ -153,6 +153,18 @@ public static boolean isAppSuspended(ApplicationInfo info) {
      * any permissions
      */
     public boolean hasPermissionForActivity(Intent intent, String srcPackage) {
+        // b/270152142
+        if (Intent.ACTION_CHOOSER.equals(intent.getAction())) {
+            final Bundle extras = intent.getExtras();
+            if (extras == null) {
+                return true;
+            }
+            // If given intent is ACTION_CHOOSER, verify srcPackage has permission over EXTRA_INTENT
+            intent = (Intent) extras.getParcelable(Intent.EXTRA_INTENT);
+            if (intent == null) {
+                return true;
+            }
+        }
         ResolveInfo target = mPm.resolveActivity(intent, 0);
         if (target == null) {
             // Not a valid target

From a60f81de08d8f204b9f490ccde5238232a325ec9 Mon Sep 17 00:00:00 2001
From: Pinyao Ting <pinyaoting@google.com>
Date: Tue, 12 Sep 2023 22:37:16 +0000
Subject: [PATCH 2/2] Fix permission bypass in legacy shortcut

Intent created for Chooser should not be allowed in legacy shortcuts
since it doesn't make sense for user to tap on a shortcut in homescreen
to share, the expected share flow started from ShareSheet.

Bug: 295334906, 295045199
Test: manual
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:b7b192bd7f24a2aa7d6881ee949657c9760c0305)
Merged-In: I8d0cbccdc31bd4cb927830e5ecf841147400fdfa
Change-Id: I8d0cbccdc31bd4cb927830e5ecf841147400fdfa
---
 .../android/launcher3/util/PackageManagerHelper.java  | 11 ++---------
 1 file changed, 2 insertions(+), 9 deletions(-)

diff --git a/src/com/android/launcher3/util/PackageManagerHelper.java b/src/com/android/launcher3/util/PackageManagerHelper.java
index 02287fd0f..fc6a91d1b 100644
--- a/src/com/android/launcher3/util/PackageManagerHelper.java
+++ b/src/com/android/launcher3/util/PackageManagerHelper.java
@@ -155,15 +155,8 @@ public static boolean isAppSuspended(ApplicationInfo info) {
     public boolean hasPermissionForActivity(Intent intent, String srcPackage) {
         // b/270152142
         if (Intent.ACTION_CHOOSER.equals(intent.getAction())) {
-            final Bundle extras = intent.getExtras();
-            if (extras == null) {
-                return true;
-            }
-            // If given intent is ACTION_CHOOSER, verify srcPackage has permission over EXTRA_INTENT
-            intent = (Intent) extras.getParcelable(Intent.EXTRA_INTENT);
-            if (intent == null) {
-                return true;
-            }
+            // Chooser shortcuts is not a valid target
+            return false;
         }
         ResolveInfo target = mPm.resolveActivity(intent, 0);
         if (target == null) {