From 7a7dce808e1545e859b80b86f0279ee68ce3f0cc Mon Sep 17 00:00:00 2001
From: Marcin Kosiba <mkosiba@google.com>
Date: Wed, 7 May 2014 15:22:07 +0100
Subject: Sanitize selector Intent when handling intent: scheme.

Android Intents have a selector field which, if present, are used
to search for the Activity to invoke. These must also be sanitized
before handing off to the OS.

BUG:14562482
Change-Id: I30461e11be48ec623ab0f56d0d0f206dc2849c98
---
 .../com/android/webview/chromium/WebViewContentsClientAdapter.java   | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/chromium/java/com/android/webview/chromium/WebViewContentsClientAdapter.java b/chromium/java/com/android/webview/chromium/WebViewContentsClientAdapter.java
index 8749985..3a81c0d 100644
--- a/chromium/java/com/android/webview/chromium/WebViewContentsClientAdapter.java
+++ b/chromium/java/com/android/webview/chromium/WebViewContentsClientAdapter.java
@@ -189,6 +189,11 @@ public class WebViewContentsClientAdapter extends AwContentsClient {
             // security (only access to BROWSABLE activities).
             intent.addCategory(Intent.CATEGORY_BROWSABLE);
             intent.setComponent(null);
+            Intent selector = intent.getSelector();
+            if (selector != null) {
+                selector.addCategory(Intent.CATEGORY_BROWSABLE);
+                selector.setComponent(null);
+            }
             // Pass the package name as application ID so that the intent from the
             // same application can be opened in the same tab.
             intent.putExtra(Browser.EXTRA_APPLICATION_ID,
-- 
cgit v1.2.3