Intent.createChooser() should copy EXTRA_STREAM to ClipData on the chooser intent [176280829]

WAI

Bug

[AOSP] assigned

Status Update

No update yet.

Description

ch...@gmail.com

created issue #1

Dec 24, 2020 06:02PM

As the title says: Intent.createChooser() does not copy EXTRA_STREAM to ClipData on the chooser intent. This means it doesn't grant the system's share sheet UI access to content uris.

Note: This issue is related to #173137936 - ShareCompat.IntentBuilder + startChooser() doesn't grant system's share sheet UI access to content - it turns out Android core has the same problem.

Reproduce:

Intent intent = new Intent(INTENT.ACTION_SEND);
intent.putExtra(Intent.EXTRA_STREAM, uri);
intent.addFlags(Intent.FLAG_GRANT_READ_URI_PERMISISON);
Intent chooserIntent = Intent.createChooser(intent, null);
startActivity(chooserIntent);

Result:

chooserIntent does not include ClipData nor any necessary flags for the uri. Whatever app handles ACTION_CHOOSER does not have access to that uri.

Solution

I propose a change to Intent.createChooser() and add something like the following (pseudo) code:

if (permFlags != 0) {
  /* ... */
  if (targetClipData == null && target.hasExtra(EXTRA_STREAM)) {
    intent.setClipData( ClipData.newRawUri(null, target.getExtra(EXTRA_STREAM)) );
  }

Note: the above code example does not account for an array of uris, so it should probably check for Intent.ACTION_SEND_MULTIPLE and act accordingly.

Context / background:

With Android Jelly Bean (API 16) Intent.setClipData(android.content.ClipData) was introduced. However, many apps - including many Google apps like Chrome (issue) and Photos and from what I can tell even Android's stock Files app - don't use it. Instead, they only provide an (array of) EXTRA_STREAM and add the FLAG_GRANT_READ_URI_PERMISISON, then call it a day (see code snippet above)

Intent intent = new Intent(INTENT.ACTION_SEND);
intent.putExtra(Intent.EXTRA_STREAM, uri);
intent.addFlags(Intent.FLAG_GRANT_READ_URI_PERMISISON);
Intent chooserIntent = Intent.createChooser(intent, null);
startActivity(chooserIntent);

instead of

Intent intent = new Intent(INTENT.ACTION_SEND);
intent.setClipData(ClipData.newRawUri(null, uri);
intent.putExtra(Intent.EXTRA_STREAM, uri);
Intent chooserIntent = Intent.createChooser(intent, null);
startActivity(chooserIntent);

In this very common scenario, Intent.createChooser() will not call setClipData() with the provided EXTRA_STREAM uri(s) and addFlags(FLAG_GRANT_READ_URI_PERMISISON) on the chooser intent it creates (see Intent.createChooser() source code).

This results in a chooser intent that does not grant the (system's, or any other) share sheet UI access to the uri(s). However, it needs this access so it can grant it to the 'destination' app the user then chooses.

From what I've learned from the Android system share menu's source code, it leverages its system app privileges to start the destination app on the sending app's behalf. That way the system share menu can grant read permission for content:// uris that it doesn't actually has access to. As you can probably imagine, 3rd party share menu replacement apps are not allowed to pull these kinds of shenanigans.

For sake of consistency and to encourage developers to follow the documentation (see below), I think it may also be time to deprecate (and eventually remove) the system share menu's ability to launch an activity on behalf of the sender, at least not when targeting SDK 16 or later. The fact this problem has gone unnoticed for so long (since SDK 16) and apps - including Google and Android stock apps - are still not using these APIs correctly, proves this 'fallback' is, in the end, encouraging bad practice. The system's share menu should probably not have to use workarounds like this unless it's absolutely necessary.

Relevant Android documentation:

Intent#ACTION_SEND

Context#startActivity(Intent) will copy EXTRA_STREAM to ClipData - but it doesn't copy ClipData (and necessary flags) if the intent is encapsulated in a chooser intent:

As of Build.VERSION_CODES.JELLY_BEAN, the data being sent can be supplied through setClipData(android.content.ClipData). This allows you to use FLAG_GRANT_READ_URI_PERMISSION when sharing content: URIs and other advanced features of ClipData. If using this approach, you still must supply the same data through the EXTRA_TEXT or EXTRA_STREAM fields described below for compatibility with old applications. If you don't set a ClipData, it will be copied there for you when calling Context#startActivity(Intent).

Source: https://developer.android.com/reference/android/content/Intent#ACTION_SEND

Intent#ACTION_CHOOSER

Intent.createChooser() seems to handle copying uri(s) and necessary flags to the chooser intent - but it doesn't when only the EXTRA_STREAM (and no ClipData is set):

If you need to grant URI permissions through a chooser, you must specify the permissions to be granted on the ACTION_CHOOSER Intent in addition to the EXTRA_INTENT inside. This means using setClipData(ClipData) to specify the URIs to be granted as well as FLAG_GRANT_READ_URI_PERMISSION and/or FLAG_GRANT_WRITE_URI_PERMISSION as appropriate.

Source: https://developer.android.com/reference/android/content/Intent#ACTION_CHOOSER

Comments

mm...@commonsware.com <mm...@commonsware.com> #2Dec 27, 2020 02:32PM

Androidx.activity actually doesn't do anything with those APIs and this behavior comes from the framework. Moving it to that component.

ja...@google.com <ja...@google.com> #3Dec 28, 2020 06:15PM

Assigned to ja...@google.com.

Thank you for letting me know. Then which subject should we have instead of Android Public Tracker > App Development > Jetpack (androidx) > Activity ?

ch...@gmail.com <ch...@gmail.com> #4Dec 29, 2020 08:28AM

Android Public Tracker > Framework is the correct component for framework issues.

deleted

Restricted

0 B

deleted

Restricted

0 B

ja...@google.com <ja...@google.com> #5Dec 29, 2020 04:55PM

Please provide the following additional information:

Please mention the steps to be followed for reproducing the issue with the given sample apk.

Android bug report capturing

After reproducing the issue, press the volume up, volume down, and power button simultaneously. This will capture a bug report on your device in the “bug reports” directory.

Alternate method

Navigate to “Developer options”, ensure “USB debugging” is enabled, then enable “Bug report shortcut”. Capture bug report by holding the power button and selecting the “Take bug report” option.

Screen record of the issue, for clarity
Please capture screen record or video of the issue using following steps:
adb shell screenrecord /sdcard/video.mp4
Subsequently use following command to pull the recorded file:
adb pull /sdcard/video.mp4

Note: Please upload the files to google drive and share the folder to android-bugreport@google.com, then share the link here.

js...@google.com <js...@google.com> #6Jan 5, 2021 10:30PM

Reassigned to ch...@gmail.com.

1 - If you click on "click me" button in the 1st Activity, 2nd Activity will start with option bundle. 2 - If you search in searchView, button in the 2nd Activity will be gone. 3 - click on device home button and then resume the app again, button in 2nd activity becomes visible which is unexpected. 4 - if you search again, click on device home button and resume the app again, button in the 2nd Activity will be gone as expected. (Unexpected behavior happens just in the 1st search)

Bug report capturing : https://drive.google.com/file/d/1oVWNGpykUbMifWkQ76sApG9i1nEIYMfH/view?usp=sharing

Screen recording : https://drive.google.com/file/d/1oY8qBizirEaPYi3ne3G3Opg_kU0tpUl9/view?usp=sharing

Sample code : https://github.com/alirezaeiii/SearchViewOption

APK : https://drive.google.com/file/d/16rBVU-DPh6Fx7xU9P5lKo9Pxlnz6k8H3/view?usp=sharing

mm...@commonsware.com <mm...@commonsware.com> #7Jan 5, 2021 10:36PM

We have shared this with our product and engineering team and will update this issue with more information as it becomes available.

ch...@gmail.com <ch...@gmail.com> #8Jan 6, 2021 07:10AM

#c6: Thanks for looking into it.

Developers should instead explicitly call Intent.addFlags() to reflect their intentions, since we can't assume they're okay granting read and/or write access for the intent being chosen.

From my experience, 99% of Android share code looks like this:

Intent intent = new Intent(INTENT.ACTION_SEND);
intent.putExtra(Intent.EXTRA_STREAM, uri);
intent.addFlags(Intent.FLAG_GRANT_READ_URI_PERMISISON);
Intent chooserIntent = Intent.createChooser(intent, null);
startActivity(chooserIntent);

They add the EXTRA_STREAM and the Intent.FLAG_GRANT_READ_URI_PERMISISON flag. In other words: they already explicitly reflect their intentions to grant read permissions.

The problem is that they almost never add ClipData.

Respectable, well-known apps like Nova Launcher, Talon for Twitter, Pulse SMS and many others did not add ClipData until I contacted them. Even Google apps like Chrome currently have this problem (issue, source code). I'm pretty sure that other Google apps like Photos and Messenger do, too. I think even the Android stock Files app does not add ClipData!

This breaks the share menu preview for images and it breaks 3rd party share menus. It may break other things, too.

Developers assume the above code snippet is fine because the system works around the issue ("ChooserActivity will already start the picked item as the caller", see below). I think very, very few developers are aware that they should add ClipData when targeting SDK >= 16.

Regarding the comment in Intent.migrateExtraStreamToClipData():

ChooserActivity will already start the picked item as the caller

That's something only the system share menu can do. 3rd party share menu replacement apps can't (for good reasons :)). Besides, even though the system share menu fixes the permission issue for the target app, the share menu itself can't access the file, that's why the preview image doesn't work when ClipData isn't set.

If, for security or other reasons, Android will not copy EXTRA_STREAM to ClipData on the chooser intent, then I think developers should receive strong indications on how to properly share files when targeting SDK >= 16 and existing code should throw Lint warnings as #c7 proposes.

Lastly, ShareCompat seems to be happy to copy EXTRA_STREAM to ClipData on the chooser intent. I know it's a "but what about ..." but I guess it needs saying :) Should they revert the fix?

ja...@google.com <ja...@google.com> Jan 6, 2021 03:55PM

Status: Won't Fix (Intended Behavior)

ch...@gmail.com <ch...@gmail.com> #9Jan 6, 2021 05:01PM

Could you please explain why this is a "won't fix"?

Is it intended that FLAG_GRANT_READ_URI_PERMISSION should work for EXTRA_STREAM?

Because ChooserActivity contains code that makes this work:

intent.putExtra(Intent.EXTRA_STREAM, uri);
intent.addFlags(Intent.FLAG_GRANT_READ_URI_PERMISISON);

If this is intended behaviour, shouldn't it work 'earlier in the chain'? So that ChooserActivity itself can display a preview image and apps that legitimately replace ChooserActivity (via the ACTION_CHOOSER intent-filter) can do their work without throwing SecurityException when the EXTRA_INTENT contains a uri?

If this should not work, then why does ChooserActivity make it work anyway?

ja...@google.com <ja...@google.com> #10Jan 6, 2021 05:38PM

Thank you for the update. We’ve shared this with our product and engineering teams and will continue to provide updates as more information becomes available.

gr...@gmail.com <gr...@gmail.com> #11Jul 30, 2024 04:53AM

Workaround? What needs to be added into an app?